Chapter 27

Chapter 27. Internal Security

William Shakespeare, Much Ado About Nothing

The most peaceable way for you, if you do take a thief, is, to let him show himself what he is and steal out of your company.

IN THIS CHAPTER

        Internal Security: The Red-Headed Stepchild

        Internal Risks: Types of Harm and Vectors

        Risk Mitigation Policies

        Products

        Resources

This chapter focuses on securing your network from the inside, with the assumption that all your external security efforts are in vain if inside security is a pushover. Secondly, because "inside jobs" are rarely pretty or welcome, this chapter details some practices that avoid in the best case and detect in the worst case an intruder in your midst.

Internal Security: The Red-Headed Stepchild

It's probably a good bet that your network perimeter is incredibly more secure than the inside of your network; most networks are "crunchy on the outside, chewy on the inside." You can probably blame the "Firewalls-fix-everything" mentality of the last several years for this. This means that your internal vulnerabilities might very well be the cause of your worst security nightmare.

In fact, although the Computer Security Institute's most recent Computer Crime and Security Survey says that 90% of respondents detected security breaches, the report goes on to say that only 25% of the respondents detected breaches from the outside. Do the math.

Note

You can see the executive summary of the Computer Security Institute's 2000 Computer Crime and Security Survey at http://www.gocsi.com/prelea_000321.htm

(See the "Resources" section at the end of the chapter for more surveys, articles, and so on.)

The survey goes on to state that 71% of respondents detected unauthorized access by insiders. Clearly, internal security is a huge problem. The ICSA (International Computer Security Association) agrees, believing that insiders cause 80% of security problems.

Note

Stressing that firewalls are not a security panacea, the ICSA outlines some internal security problems in its Firewall Buyers Guide at http://www.icsa.net/html/communities/firewalls/buyers_guide/chap_2.shtml

Internal Risks: Types of Harm and Vectors

Fine. So breaches of internal security are common. But what's the worst thing that could happen? What are the risks? But more to the point, what can you do about these risks?

Many times, assessing an organization's internal risks can point directly to the necessity of implementing particular policies. It's useful to break these risks down into types of harm and vectors.

Some of the common types of harm that you'll want to consider are

        Server compromise

        Network infrastructure compromise

        Application level compromise

        Workstation compromise (trojans)

        Loss or theft of proprietary data

        Transmission of inappropriate or harmful data to business partners

        Denial of service

When we talk about vectors, we're really talking about the human factor any type of human action that can introduce harm into your network. The human factor is rather complex; it's useful to further break down this factor into organizational roles and type of intent.

Some types of intent typically are

        Well-meaning/Unwitting. A person accidentally introduces harm into the network,

        Scofflaw. A person knowingly bypasses security checkpoints.

        Disgruntled/Malicious/Opportunistic.

The types of organizational roles are

        Members of the public. That is, users of a kiosk, or simply folks who are wandering your building and stumble across an unlocked wire closet.

        Temporary employees.

        Departmental users. Each department should really be considered separately because each can present a different level of privilege and/or risk.

        Infrastructure, server, or application administrators.

To visualize the way that these two factors interact to generate a level of risk, it's useful to set them into a chart where the upper left represents the least amount of risk, and the lower right represents the most risk.

Obviously, a malicious administrator is your organization's worst nightmare, but gone are the days when "only" IT professionals could rock the network boat. Today's high-profile security problems coupled with "script kiddie" exploits and a permissive workstation policy means that any jerk with an attitude, an IQ of more than 80, and a PC can take advantage of your untended network. To fight back, enact a strong Acceptable Use Policy (AUP); check up on it with auditing and IDS tools; and enforce it. (See Chapter 26, "Policies, Procedures, and Enforcement," for more info on building an AUP.)

Scofflaw Employees

Scofflaw employees that is, employees who want to bypass your normal security measures for their own convenience can also be a huge problem.

The classic example of a scofflaw employee is one who ignores policy, bypasses the organization's remote access mechanism, and decides to install a modem and PCAnywhere on her PC many times without a reasonably good password. All of a sudden, there is an open door from the outside to your internal network, not a good thing.

Other examples include VIP users who do not want their Internet access to be monitored by IT; they therefore bypass corporate firewalls and dial into their own ISPs, which don't necessarily have the same type of security policies that the organization does.

Note

I knew one VIP user in particular who bypassed his organization's email system a system that scanned inbound and outbound email for viruses. He decided to use a dial-up account with a local vendor, which did not have virus protection on the mail gateway.

To make a long story short, his workstation hadn't received the most recent virus pattern update yet; and one of his cronies sent him a virus that messed up his workstation, necessitating an "emergency" call to the help desk. Scofflaws oftentimes shoot themselves in the foot while they're putting the organization at risk.

As workstation-based trojans become more common, bypassing a site's security checkpoints becomes worse and worse. Consider AOL's recent problem with a workstation-based trojan; hundreds of member accounts were compromised when employees executed an interesting-looking program that arrived by email.

America Online Inc. acknowledged last week that 200 member accounts were compromised when targeted AOL employees opened infected e-mail attachments. The attachments unleashed a Trojan horse program that created a connection to the employees'machines, allowing intruders to access password and credit-card information.

AOL Investigates Theft of Account Data, Computerworld, Ann Harrison, June 26, 2000

These AOL employees were scofflaws in that they ignored an AOL policy: They opened executable content from untrusted sources because it looked less boring than the work that they were doing. Scofflaw users will become more and more of a threat as these types of Trojans proliferate. (See Chapter 18, "Trojans," for more information.)

You can mitigate this risk somewhat by using desktop management tools to "lock down" the desktop and in some organizations this can in fact be appropriate but in the end, it's a policy problem, not a technology problem. Desktop management is only effective if the politics of an organization allow it to be.

Bottom line: Top-level management wouldn't allow a VIP to erect a ladder on the side of the building to bypass corporate security's checkpoints; it also should not allow anyone to bypass network security's checkpoints. If top-level management truly understands the parallel, you have a powerful ally in the battle against scofflaws.

IT Employees

Of course, just because "everybody" is now a potential problem doesn't mean that disgruntled IT workers and coders aren't of concern. More potential privileges mean more potential problems, naturally. Case in point is the oft-cited "logic bomb."

Although the identification of the first software bomb is not certain, a classic example occurred in 1988 when a Texas firm called IRA suffered the deletion of some 168,000 payroll records from a database. This was shown to have been caused by a logic bomb planted by an employee named Burleson which was triggered 6 months after he left the firm.

Computer Crime: An Historical Survey, Richard E. Overill, Defence Systems International 98. http://www.kcl.ac.uk/orgs/icsa/Staff/overill.htm

System administrators and network infrastructure administrators can also be part of the problem but they can also be part of the solution. If you have more than one hand in every pot, it's a lot harder for one person to leave back doors, plant subversive code, and so on. That is, collaborative practices mean that systems and code are always subject to someone else's review (see the next section, "Risk Mitigation Policies") which means that you can nip problems in the bud. (See also Chapter 13, "Logging and Auditing Tools." )

Risk Mitigation Policies

You'll want to establish clear, written policies in partnership with your organization's management team. This partnership can't be emphasized enough a policy without teeth might as well never have been written. You'll want to

        Establish good physical security for all infrastructure no matter how "insignificant" a piece of infrastructure might seem.

        Get management to build some level of concern for network security into the hiring process.

        Explicitly forbid bypassing security checkpoints (such as firewalls, remote access servers, and so on) in your AUP.

        Establish desktop management policies as they relate to virus/trojan protection and levels of workstation lockdown.

        Encourage small teams of administrators to collaborate. If there's more than one administrator watching the henhouse, it's less attractive to act the fox.

        Employ intrusion-detection systems (see Chapter 12, "Intrusion Detection Systems (IDS)" ), being careful to employ those that can handle high-bandwidth internal networks.

        Audit your systems and procedures periodically. (See Chapter 11, "Vulnerability Assessment Tools (Scanners)," and Chapter 13, "Logging and Auditing Tools." )

        Maintain current levels of OSes and applications. (Vendors usually patch script kiddie exploits rather quickly.) (See Part VI, "Platforms and Security," for more information on maintaining current levels.)

Physical Security

It's actually pretty easy to practice due diligence with physical security. You've just got to be meticulous and consistent, and take it seriously. Pretend that someone could burglarize you personally if you're not careful. It might help to pretend that you live in New York.

In all seriousness, physical security is where the battle can easily be lost although it can't be totally won with just physical safeguards. Little things like the ability to reboot a server from a floppy, or finding an unused username on a printout or even finding a tape with a copy of a security database on it make an intruder's job easier. Let's make it hard.

Here are some "DOs" and "DON'Ts" that will make your job a little easier, an intruder's life a little harder, and your data a little more secure:

DOs

        DO lock every wiring closet and keep them locked.

        DO use switches rather than hubs, especially for LAN segments that have administrative users on them. (They still must be physically secure to ensure that someone can't access the switch and packet sniff via port mirroring.)

        DO change locks or door passcodes immediately when employees leave.

        DO erase hard drives, flash, and so on, when you take them out of service. Nobody's going to remember to do it before the surplus auction, and all sorts of passwords and/or sensitive data might be on them.

        DO erase old backup tapes before disposing of them.

        DO write nonsense data to magnetic media when you are erasing it. Dropping a partition table is NOT good enough. (Degaussing is okay, though.)

        DO use a paper shredder. Don't laugh. Dumpster diving is more common than you think.

        DO lock your server cabinets when you're not using them.

        DO restrict or forbid the use of modems on desktops; they are the number one method of bypassing your organization's security checkpoints.

        DO make sure that any "road" laptop or PDA has appropriate data protection software and hardware installed before deployment.

        DO consider whether user access to floppy disks or other removable media make sense for your environment; they constitute a possible bypass of your security checkpoints.

        DO consider the use of smart cards/token-based security devices rather than passwords for administrative users or sensitive systems. Many operating systems now support token-based authentication in addition to passwords.

        DO remember that your phone PBXs also must be secured.

DON'Ts

        DON'T send off-site backups to unsecured locations.

        DON'T give keys to vendors. Let them in to do their work, and then politely wave bye-bye when they leave.

        DON'T allow anyone other than key personnel ad hoc access to the data center.

        DON'T share wire closets with user-oriented peripherals such as printers.

        DON'T put servers into unsecured areas.

        DON'T leave server keys attached to the back of a server. Believe it or not, other people will think of this, too.

        DON'T let cleaning people or other untrusted service people into secured areas without an escort.

        DON'T store any sensitive data on user hard drives if you must, think about hard drive encryption products.

        DON'T discuss passwords or other sensitive information over unsecured channels such as cell phones, 800Mhz radios, or instant messaging.

        DON'T put consoles, keypads, or administrative workstations near windows.

The Hiring Process

Naturally, J. Random Hacker isn't going to show up and reveal his otherworldly activities at a job interview. And even doing background checks can turn into nothing more than lip service, depending upon who's doing the checks and whether the individual has been caught in the past.

Still, there are things you can do to minimize your risks during the employment process. Start out by doing a "due diligence" background check particularly for employees that will be involved in any level of IT. Do your homework and use a reputable agency to do your background checks as with anything else in computing, "Garbage in, garbage out." If you are using an internal HR check or some other check that you don't get invoiced for, communication is the key. Don't assume that silence from your background check folks means "Everything is OK." Lack of "NACK" (Negative ACKnowledgement) does not mean "ACK." It might simply mean that your request form got thrown out with lunch's pizza box. See http://www.nwc.com/1201/1201colfeldman.html for more discussion of the hiring process.

After you've worked with management to establish an Acceptable Use Policy, your next step is to work with HR to integrate it as part of the employment process for any employee. You want it integrated for two reasons: First, because it sends a message, and might dissuade an employee from snooping or fiddling where he or she doesn't belong. Second, if termination or disciplinary action is necessary because of AUP violation, it's definitely a lot easier to do if you have an "I-have-read-and-understood-this" AUP to back you up.

Establishing Desktop Lockdown

Lockdown, in the desktop management context, means that you've managed to apply the straps to your users in such a way that they can't hurt themselves or your network. In the best case, this is done in such a way that the users don't feel constricted or stifled. Having a heart-to-heart with management about the level of lockdown can be only a good thing. Users get extremely irrational about losing any amount of autonomy, and you will definitely want management to buy into any lockdown that you need to enact.

It should be pointed out that desktop management any desktop management that resides on a local workstation can be bypassed by a clever user unless there is serious physical security in place (no floppies, an "unpickable" case lock, and so forth). This, of course, is the type of security that you must have if you have public information terminals, kiosks, and so on. The point is that any workstation that isn't physically secured can usually be booted from alternative media, and then the local OS can be modified to a malicious user's heart's content.

Still, desktop management and lockdown for nonpublic users are important due-diligence measures, and definitely should not be skipped. The important thing here is to prevent either well-meaning or scofflaw users from hurting themselves and others. Defeating a truly noncasual and malicious user isn't the primary purpose of desktop management.

As far as manual procedures go, you can see some sample system lockdown checklists at http://www.nswc.navy.mil/ISSEC/Form/index.html

Virus protection, of course, is a mandatory component to desktop management. Virus protection is (or should be) such second nature to today's IT staff that we mention it here simply to ask one question: Can the user turn off virus protection?

Some virus protection suites let the user do this; others password-protect the entire control panel. You should certainly password-protect the control panel if possible, but you should also enact desktop management policies that check and reinstall virus protection if the workstation's otherwise permissive operating system allows its removal.

Good desktop management tools enable you to not only "force" certain applications, but they can also

        Force applications to be configured in a certain way (notably browsers)

        Restrict users from running anything but a certain set of applications

        Restrict use of removable media

        Prevent users from modifying system configuration

Restricting Content

It used to be that IT managers were only worried about what users were able to download; that is, folks were concerned about employee abuse of the Internet. At the time, there wasn't technology to check what the actual downloaded content was so managers contented themselves with blocking sites based upon where the user tried to surf. Certain software manufacturers also became service organizations (notably Cyber Patrol; see "Products: Content Management," ) that maintained a list of URLs in certain categories: adult-oriented, comedy, shopping, news, and so on. As a manager, you could then block various categories with a perimeter device that had access to these lists.

This strategy, however, wasn't complete in and of itself. Objectionable sites surface overnight, and the list didn't always reflect reality. And, filtering outbound URLS does nothing to fight questionable content that leaves your site.

Because one of the risks to your organization is the unauthorized disclosure of content (customer lists, intellectual property, and so on), one of the hottest topics in corporate security today is that of content management (also called content filtering, content services, and content restriction). Content management works in conjunction with your perimeter security devices. The software can perform lexical analysis, pattern matching even image recognition. (Yes, those images.)

Another risk faced by your organization is the transmission of inappropriate content (pornographic, libelous, or otherwise offensive data) or dangerous content (such as Trojans and viruses) to business partners. You'd have to be nuts to think that any tool could totally eliminate the possibility of inappropriate content making it through your checkpoints. But content management tools can limit the possibility. Virus gateway protection software is one example of specialized content management.

Some vendors label their products as content filters, when in fact they are site filters or URL filters. Again, rather than checking the data stream for objectionable content, they check the Web address against a categorized list of known Web sites. Site filtering has merit. It can defi nitely decrease the amount of daytrading/time-wasting/non work-related surfing at your organization but it's not content filtering. It is only as effective as the folks who update the lists are. And, site management doesn't do anything for your intranet.

That said, content management tools fall into two categories: those that offer generic content-checking services to the network, and those that operate solely on a specific application.

Those that offer generic content services tend to do it via CheckPoint Software's CVP (Content Vectoring Protocol). CVP accepts a connection from a client, proxies the request to the server, scans the content, and either modifies or denies the request when content does not pass muster.

There is not yet an RFC-based content restriction protocol that has been widely implemented. If you're not using Firewall-1 or another firewall that supports CVP, you might have to purchase individual products that separately monitor Web content (HTTP), email (SMTP), news (NNTP), and FTP.

You'll also probably have to put up with some degree of false positives yet another thing to administrate. For example, content filters commonly block Network Computing's "Centerfold," a showcase of innovative companies'networks.

Still, content filters can be worthwhile, if you target and configure them correctly. See the section "Products," later in the chapter for a sampling of content-filtering tools. Look for content management to change and grow in the next couple of years; hit the Web or magazines like Network Computing for the latest scoop.

Administrative Collaboration

At first, administrative collaboration doesn't seem like much of a security practice. How can teamwork make your internal network a safer place?

First, consider that any illegal or unethical action involving partners automatically means that there are witnesses and possible leads to an investigation. As Benjamin Franklin said, "Three can keep a secret if two of them are dead."

Secondly, take the case where there is no explicit partnership during a questionable activity. The fact that there is another administrator who has responsibility for the system involved means that the system itself is under scrutiny. The fact that there is third-party scrutiny of the system might discourage the perpetrator in the best case, or at least lead to discovery of the questionable activity.

You should be careful, however, to avoid assigning too many hands to any given pot. Not only can this lead to system chaos, but it also can make unethical activity harder to trace either during an incident or an audit. You definitely want a limited pool of individuals accountable for a given system.

Products

Products change all of the time you'll want to check the latest industry magazines and Web sites to make sure that you've got the latest options in front of you. The following sections list sample products in various categories so that you can get off on the right foot.

Desktop Management

Product: LANDesk

Company: Intel

URL: http://www.intel.com/network/products/landesk_mgmtsuite_v6.htm

Description: Platform agnostic desktop management; works with Win9x, WinNT/Win2K, Netware, and Linux.

Product: Systems Management Server (SMS)

Company: Microsoft

URL: http://www.microsoft.com/smsmgmt/exec/default.asp

Description: Certainly the easiest way to manage the desktops of a Windows network. Works with Win9x and NT with ZAK (Zero Administration Kit) and Win2000's Group Policies.

Product: ZENWorks for Desktops

Company: Novell

URL: http://www.novell.com/products/zenworks/desktops/

Description: Desktop management using NDS (Novell Directory Services) as the configuration data store. Scales extremely well.

Laptop/PDA Security

When a portable device walks away, it's not pretty; the loss of the device is nothing compared to the potential loss of sensitive information. Although "password-at-power-up" is popular, it is not a good solution after someone has stolen your device; use real data encryption instead. There are a huge number of options, and it's not our intention here to offer a complete buyer's guide. Rather, this is a starting point. When you're looking to buy portable device security solutions, consider whether

        Physical tokens are available. If the device will be used in a public place, there is always the risk of someone "keystroke watching" during password entry, and later stealing the device.

        What type of encryption is used. Some vendors use a proprietary algorithm that hasn't been publicly examined for flaws. Stay well away from these, as well those algorithms that use "obscuring" tactics like XOR (bit-complement), which are not secure.

PDA Security

Product: MemoSafe

Company: DeepThought

URL: http://home.golden.net/~deepnet/memosafe.html

Description: MemoSafe uses the public domain SAFER-SK cipher to encrypt your MemoPad memos.

Product: ReadThis!

Company: PixIL

URL: http://members.nbci.com/PixIL/Software/ReadThis/

Description: A module that requires HackMaster, and encrypts arbitrary Palm records; beware, as the default method is "XOR" as stated previously, not a secure method. Fortunately, an externally available IDEA encryption module is available. Source is only available for the external module.

Product: Safe

Company: Palmgadget.com

URL: http://www.palmgadget.com/palmsafe.html

Description: Triple-DES memo pad encryptor; the source code is available for inspection, which is a real plus.

Laptop Security

Product: Invincible Disk

Company: Invincible Data Systems, Inc.

URL: http://www.incrypt.com/idisk01.html

Description: Encrypts an entire hard drive using the Blowfish encryption algorithm. Supports physical tokens.

Product: SafeHouse for Windows

Company: PC Dynamics

URL: http://www.pcdynamics.com/SafeHouse/

Description: Offers several different encryption options, including Blowfish, and triple DES; but also includes the not-so-secure DES algorithm, as well as a proprietary algorithm that has not been publicly scrutinized.

Note

If you use UNIX or Linux on laptops, see the section "Resources" later in the chapter for a paper describing encrypted file systems such as cfs, sfs, cryptfs, and so on.

Physical Security

Product: Barracuda Anti Theft Devices

Company: Barracuda Security Devices International

URL: http://www.barracudasecurity.com

Description: Barracuda's flagship product is a PC card that is inserted into an expansion slot; it monitors all computer components. You are paged when any component is tampered with or removed. A terribly shrill alarm goes off as well.

Product: Modem Security Enforcer

Company: IC Engineering, Inc.

URL: http://www.bcpl.lib.md.us/~n3ic/mse/mseinfo.html

Description: Modem Security Enforcer includes callback authentication, password protection, firmware password storage (inaccessible to internal users), nonvolatile memory storage settings, and a completely configurable interface. There is a 9600bps version and a 19,200bps version.

Product: ModemLock for SmartCard Modems

Company: Intertex Data AB

URL: http://www.intertex.se/html/modemlock.html

Description: Software that restricts incoming or outgoing modem use. Unfortunately, it requires that you use Intertex's brand of smart card modems.

Content Management

Product: eSafe Gateway

Company: Aladdin Knowledge Systems

URL: http://www.ealaddin.com/esafe/gateway/index.asp

Description: Filters Web traffic for hostile applets, viruses; can do URL filtering; inspects MIME encoded mail.

Product: MIMESweeper product family: MAILSweeper; PORNSweeper; WEBSweeper; SECRETSweeper

Company: Content Technologies

URL: http://www.contenttechnologies.com/products/default.asp

Description: The kitchen sink, oven, stove, and dust-buster of content management. Filters everything from MIME-encoded email to porn-bearing-GIFs.

Product: SuperScout, CyberPatrol, SurfControl

Company: SurfControl

URL: http://www.surfcontrol.com/

Description: All products use the same CyberNOT subscription list, and perform varying degrees of site filtering. SuperScout in particular can deny/allow sites based on file types.

Product: Various

Company: CheckPoint

URL: http://www.checkpoint.com/opsec/security.html#Content_Security

Description: List of companies and products that have partnered with CheckPoint, and use CVP (Content Vectoring Protocol) as a central service for content scrutiny.

Resources

Computer Security Institute's 2000 Computer Crime and Security Survey. http://www.gocsi.com/prelea_000321.htm

Computer Crime & Security Survey 1999. http://www.deloitte.com.au/downloads/Computer_Crime99.pdf

Computer crime an historical survey. Richard E. Overill. http://www.kcl.ac.uk/orgs/icsa/Publications/crime.html

Risk Assessment Strategies. Workshop about risk management. http://www.nwc.com/1121/1121f3.html

How to Fire A System Administrator. M. Ringel and T. Limoncelli. http://www.bell- labs.com/user/tal/papers/LISA1999/adverse.html

A Contextual Love Letter for You. http://www.nwc.com/1117/1117colfeldman.html

Zero Administration Kit for Windows (Win9x and WinNT desktop management). http://www.microsoft.com/windows/zak/

Using Group Policy Scenarios (Win2000 desktop management). http://www.microsoft.com/technet/win2000/win2ksrv/technote/gpscena.asp

Palm Security: Encryption Tools. http://palmtops.about.com/gadgets/palmtops/library/weekly/aa06182000a.htm

Encrypting Your Disks With Linux. Covers technologies that work on Linux and other UNIX derivatives. http://drt.ailis.de/crypto/linux-disk.html

Using Win2000's Foolproof Encryption. Uses Win2000's native file encryption technology. http://www.nwc.com/1121/1121ws1.html

Summary

Good internal security amounts to doing the same things you do for external security, and practicing due diligence as regards self-auditing and policy enforcement. There are tools that can help, such as auditing tools/security scanners, content filtering tools, desktop management, and IDS, but in the final analysis, no tool can replace meticulous and sharp-eyed individuals.