Tuesday, January 30, 2007

Imbalanced (IMBA) Corporate Security.

It seems that both corporate networks and their physical installations may be compromised because of some irresponsible security officer.

When we are talking about security (at a corporate level) we imagine an area (or multiple areas) where only certain people are allowed in. And once they are in, they are divided into groups depending on what they are meant to do in that area. That area may be a physical location (office/building). In there, only the company employes are granted entry priviledges. Once they are in, each one works in his own cubicle and only senior employes wonder around checking everybody else. This is the same when it comes to an electronic network: you have different areas (subnet A, subnet B, etc) and different kinds of permissions (server 1 access, server 2 access, etc).

Security officers are mostly concerned about letting people in. When a new guy is hired they screen him and watch him for a while before granting him appropriate permissions. The problem is that administrators are selfish creatures. If they say you are "OK", that's it. They never check up on you or re-evaluate their decision.

This is bad enough but the problem starts when they forget about you even when you leave the company for ever. As a result, active accounts of ex-employees remain in the system allowing them access at any time. This is huge! It only takes an unhappy ex-employee with the appropriate privileges and maybe a little hacking to enable stealing or destroying information or damaging the infrastructure itself.

It's been over a year since Bob left the company his was working at. A few days ago he realized that his network access had NOT been revoked (and - I bet- neither had his physical privileges, alarm codes etc). He was able to remotely access specific systems from the company network and gain administrative privileges. He could install backdoors in those systems to ensure future access. He could use those systems to attack others, sniff the inside of the company's network (firewalls are of no use in this case) and basically do a lot of nasty things. Also he could take advantage of small security vulnerabilities he had knowledge of (like the fact that they used the same local admin password on every PC) to cover his tracks and hide his identity. Taking it a little bit further and under the assumption that nobody bothered to cancel his alarm code (they took his key through), it would be possible to invade the premises during the night, disarm the alarm using his code (or any other ex-colleague code his knows - this is another big issue) and steal/damage anything he wanted.

As Bob told me, it took 3 months since the day he started working there to get a key for the front door and remote access privileges. Apparently the security officer wanted to make sure he was not some malicious person. What worries me thought is that he took all that time to verify Bob (while making his life harder since he was an employ and did not have sufficient means/privileges to do his job) but still, 12 months since his last day at work, Bob's clearance hasn't been revoked. It's safe to assume that this is not an one-time event. Unfortunately it is my belief that there a lot of "orphan" accounts in the system.

This rises a couple more risks. Let's assume that Jane is also an ex-employee but isn't as cunning as Bob. She has never thought of doing any of the stuff I've just talked about. Jane's account is still active though and is protected by a very easy password. When the sysadm tries to enforce a new (better?) password policy he will not look after Jane's account because Jane is not working there any more. Right? Wrong! Maybe all 999 employees have updated their accounts with hard-to-guess, complex passwords. It takes a single account, Jane's, with a dumb password like "janedoe47" for an attacker to infiltrate the network.

Loose privileges are a liability!

To sum up, securing a physical area or a network means analyzing every possible scenario and providing general cover and failsafes and not just focusing on the "front door". Because that's where an attacker will try to gain access. He will hit weak abandoned accounts with weak passwords, forgotten remote privileges and protocols that should have been revoked.

No comments: