Users Versus Hackers: Which Are Worse?
It’s 5 p.m. on a Friday, and you’re the lead security engineer for the headquarters site of a major corporation. Just as you’re getting ready to ease out the door for the weekend, the phone rings and there’s a frantic voice on the other end of the line. It’s one of the managers from your financial department, and it seems that someone has accessed the payroll records of a number of higher-ranking executives within the company and attempted changes to their salaries and monthly paychecks. You immediately check the firewall and IDS logs to see if they have recorded an intrusion from the outside world into the network. They show no such illegal access. After calming down and checking your audit logs (you do audit the access of sensitive files, don’t you?), you see that a lower-level clerk responsible for processing paychecks for direct deposit has attempted to alter the data.
In the above scenario, the harm caused to the network wasn’t from an external threat, such as a hacker. It was caused by an insider—a legitimate user, someone who is in a trusted position, or, at the very least, already has access to the internal network. This person doesn’t have to footprint or enumerate services outside the firewall. He or she already has access to all of the vulnerable services, such as file sharing. He or she doesn’t have to worry about stealing a password to get access: the network administrator already assigned one. It’s because of these conveniences that insiders often pose more threats than external hackers.
What motivates an insider to harm your network might depend on a variety of different reasons. Usually, users that cause harm to your network fall into three categories. The first category is the users that might simply think they know more than they do and cause accidental damage, such as the deletion or modification of a file. Usually this can be corrected by education or minor disciplinary actions.
Other users are simply curious, and might just want to know exactly what they can access, how far they can go and what they can get away with on your network. These are the ones that will browse folders and documents that they don’t ordinarily have access to or load illegal software, such as games, or visit prohibited Web sites because they believe that the network folks can’t possibly see everything that goes on. These users can also usually be cured with education about the consequences of their actions and minor disciplinary actions, along with auditing.
The third category of harmful users are those that can have outright malicious intent, possibly because of a perceived negative action against them or a bonus or promotion they felt was denied. They also might be the unwitting pawns of external hackers, and have been socially engineered or paid to cause harm by running a few malicious programs, collecting network data or altering sensitive files.
The methods that malicious insiders use might not be too radically different from external hackers. They still might footprint the internal network to see where all of the important servers and shares are, they still might enumerate services to see what they can exploit. Usually, though, they do not have any of the same obstacles as the external hackers. They normally don’t have to get through a firewall or intrusion detection systems. They also normally don’t have to use any exotic hacker tools—you’ve given them all the tools they need already!
The tools needed to footprint the internal network are already built into their systems themselves and normally don’t require elevated privileges. The net commands on Windows-based computers, for example, can tell you a vast amount of knowledge about the internal network, and any ordinary user account can run them. You can dump the entire list of usernames in the enterprise, shares, important servers and their services, and so forth just by using a few of the simple net commands. A user with malicious intent can at the very least use this info to know where to look to cause harm and could also pass that info on to an external third party.
Once they have this info, they could do a wide range of actions. They could cause a denial of service for a hated manager by intentionally attempting to log in as that person the requisite number of times and locking the account. This would be a minor thing, to be sure, but a production-interrupting annoyance just the same. They could attempt to access shares that they find, and might stumble on one in which the “Everyone” group, for example, still has its default access privileges. Once in that share, they could alter or destroy critical documents. An external hacker would have to go through a great deal of planning and effort to get to that point from the outside.
Mitigation and Monitoring
Just as you apply the concepts of defense in depth to protect your networks from the external threat, there are things you should do to protect against the inside threats. We as administrators frequently don’t enforce these measures because we know and trust everyone we work with, right? Although education, warnings and minor disciplinary measures might just “keep the honest man honest,” we still need to apply the appropriate controls to ensure that our networks are safe from the inside as well, from the people who aren’t honest. A few of the measures we should take are:
1. Enforce the principle of least privilege. People (including managers) should only have the privileges required to do their jobs—no more than that.
2. All shared files and folders should be monitored for access and modification, especially the sensitive ones.
3. Users should be frequently educated on the company security policy, which should include warnings about attempted access of unauthorized files, running unauthorized programs (including built-in commands), and the fact that they should have no expectation of privacy on the network.
4. Lock down and restrict the use of reconnaissance-type commands on the boxes, either manually or through a mechanism such as group policy.
5. Audit internal actions thoroughly and review the logs regularly. If there is no auditing, there is no way you can catch infractions.
Although hackers and other external threats are important enough to devote a large amount of your time defending against, don’t forget to defend against insiders as well. They might not be as knowledgeable or intent as hackers to harm your network, but it is much easier for them to do so if they have the motivation. Educate your users on the proper actions they can take, and then trust them to do so. But verify the trust through monitoring and auditing. Help keep the honest folks honest, and locate and take care of the ones that aren’t.
Brad Causey is a security consultant and owns Zero Day Consulting, an incident response and penetration testing company in Alabama. Bobby Rogers is a 21-year veteran of the United States Air Force and has designed and managed networks all over the world, including South Africa, Uganda, Chad, Pakistan, Saudi Arabia, Bulgaria, and Germany. They can be reached at firstname.lastname@example.org.