Protecting corporate and enterprise networks 
against an increasing insider threat. 

Reflux - Cha0s Inc. MVS Dev. --- 7/01
--------------------------------------

Introduction


This is my first paper in a very long time, hopefully 
it will be as accurate as possible and will highlight 
some of the areas of risk in today's corporate network 
environment.

The aim of this text is to provide a basic understanding
of how important it is to maintain security within the 
corporate network, and to offer some theory and technique 
that the Hacker (The insider) may use or may be using to 
penetrate vital systems within YOUR organization..


-----------------------------
  [ Table of Contents ]
-----------------------------
 1  The eye of the storm
 2  An Insider Threat
 3  Determining what is @ Stake
 4  Strategy and precaution for High Security Netwoks
 5  High-Tech deception and Industrial Espionage


/. The eye of the storm.


More and more companies are feeling the effects of hackers, 
and according to recent FBI studies, 60 - 80% of all corporate 
hacking is done by employees of the victim.  Insiders of the 
company itself, those who have physical access to the network.

When designing network security, many systems administrators
Only see it necessary to secure their networks from the outside, 
by means of Firewall or Proxy Server.  This type of protection
does offer a good amount of security from outside attacks, 
but doesn't offer any protection from hackers openly hacking 
from the inside of the network.


//.  An insider threat

It is disturbing how many companies systems are vulnerable to
Known security flaws, those of which have been known about for
sometimes years and could be easily patched, Companies have lost
millions of dollars in revenue because they Were hacked and their
data was destroyed, systems left wide open just waiting for a hacker
to compromise.

The first thing a Hacker is going to do is target the Network
Servers looking for vulnerabilities in protocols such as DNS, FTP, 
SMTP etc. looking For misconfigurations and often unpatched holes, 
for example Lotus Domino SMTP will allow Users to relay mail blindly 
without proper authorization, allowing Employee's to forge company 
email if not configured properly, Small bugs like this can be exploited 
and used to cause havoc, downtime and lost profits.

Many companies are lacking in their ability to keep their Network
Operating systems up to date, installing the latest service
Packs and hotfix's is critical. This is a huge problem for many
companies. A good example of a wide scale problem recently hitting
is the "Code Red" Virus, it now has taken down over 250,000 IIS4/5
Web servers, via a simple but known buffer overflow that a patch has
been available to correct for over a month.  critical.

Potential systems that are likely to be probed are systems in departments
Such as Human Resources, Payroll, Accounting, etc.. where it may be
possible to obtain financial information, employee data or other valuable
information.


///. Determining what is @ Stake


The best way to protect the security of your network is to analyze
it with the Mindset of a Hacker.  The first thing I suggest is breaking
your company network Into private segments by means of VPN, or other 
encrypted network protocol, separating the departments from one another
to prevent data intended for one department from being routed to another.

The layout and separation of the network is a big concern because
any employee on the company Network can run a packet sniffer and
obtain insecure information From the Payroll Department, Accounting,
or Human Resources and this is a major threat to company and employee
security. Separating the network through basic bridging and switching 
is not good enough. Hackers will use advanced tactics to gather 
information, such as arp cache poisoning to obtain information from 
remote areas of the network.  

When designing a corporate network topology, take into consideration
what roles that the part of the network will play,  Will this department be
dealing with critical business or financial data?  Different departments
might require different levels of security, if you have a Department that
collects and processes nothing but credit card information, separate them
on a secure encrypted segment, away from the department that handles
Customer Service.  This will prevent private data from being stolen by not
so Trustworthy employee's.


////.  Strategy and Precaution for High Security networks.


If the COMPLETE security of your environment is essential, your best bet
would be to segment out your network with quality switches, making sure all 
necessary security features are set and then setup a secure PPTP VPN. 
This will ensure a private encrypted workgroup that will be free from most 
types of sniffing attacks.  

Packet Sniffing is a major concern, its being done and probably on your own
company network.  Defeating packet sniffing by insiders can be a difficult 
task, there are a few programs available, "AntiSniff" by l0pht for example is
a good sniffer detector that will sweep the network In search of interfaces 
that are running in (Promiscuous) mode, but this tool and many of which only 
work properly on flat, non-switched networks.

If you are an IT Admin, use caution when telnetting into network servers, 
always assume that somebody is watching you. If your network is Unix oriented
use SSH to ensure an encrypted terminal session.  If you need to gain access
to a router to make some configuration changes, attach a console and make 
changes at the router.  Telnetting across the network will expose your
passwords in plain text.

In High Security network environments, you may consider the installation 
of an Intrusion Detection system.  An Intrusion detection system will
allow you to centerally monitor the network, pinpointing and logging all
unusual activity, even offering webbased administration and forwarding
of logs to secure remote loghosts for increased security.

Operating System security is a large part of the puzzle, but improper
configuration of network hardware can leave you open to many potentially
lethal problems. Enabling the security features of your network hardware
is highly recomended.  Many higher quality switches offer a feature called
MAC Binding, which will bind IP MAC info and prevent change once set. This 
will prevent cache poisoning that could cause frames from one segment to 
be leaked and sniffed by an insider on another.


/////.  High-Tech deception and Industrial Espionage


Industrial espionage is becoming more and more real, this next chapter 
will express some of the possibilities that an insider may use to damage 
company operations, customer relations or company personnel by means of
Theft, Data manipulation, impersonation or deception.

Here is one Scenario, you work with your good buddy Billy, Billy narked
You off for playing Counterstrike while on the clock!@(&, bad...

It's the weekend and the supervisor on duty receives an email from the
CEO (of course this email is a Forgery you have manually sent from
the company's misconfigured SMTP server) Explaining how monitors
at the corporate office have detected your good buddy viewing kiddy porn
and has violated company policy. Billy will need to be terminated
immediately and Escorted out of the building.

Since it's the weekend and the CEO may not be at the office, the chance
Is that you are going to have your good buddy fired on the spot. And
Walked out of the building... oops.

This is a reality I call corporate espionage.. and this is just a small
Idea of how someone can alter the perception of corporate
Management, via deception and social engineering for Personal
and possibly financial gain.

Here is another scenario,

You are scanning your company domain open windows Fileshares
on the network.  You come across several that have the C: shared but
Locked with a password.   moron.

You, the insider, then use your Netbios brute Force tekneeks 
to break the password to the fileshare and gain Full access to the
lusers workstation, after browsing around the files, You notice that the
system you just broke into belongs to a company Supervisor and
contains reporting data that includes time-clock data, Crystal reports
Employee statistical data or other critical work-flow Data.

Clickety Click, you just worked 30 hours of overtime and are now
The best employee in the company.  :)


//////.  Conclustion

This messy, unorganized, misspelled piece of chopped up text is 
just a personal rambling, an effort to point out what needs to be 
done to keep corporate networks Secure from an internal standpoint, 
if you have any comments or suggestions about this paper please 
contact me.  


I can be contacted at:

 Reflux@cha0s.com
 2001. Cha0s Inc.