Types of Attacks

Insider attacks can manifest themselves in all the same forms as external attacks, as well as some additional variations. An insider is perfectly placed to cause a massive denial of service to other users. This can take the form of traditional network-based denial-of-service attacks such as SYN floods. These are extremely simple to detect, however, and router and network logs will quickly pinpoint the attacker.

An insider can also deny service by launching other attacks. Some operating system vulnerabilities can only be exploited by a user with a valid logon to the system; others might normally be blocked at the corporate firewall. For example, there is a vulnerability in Windows 2000 in which a user can send a malformed Remote Procedure Call (RPC) packet to a critical server and cause it to stop responding to requests for service. Under normal configurations, this would not be a major vulnerability because the RPC port would normally be blocked by the corporate firewall. If the attacker is already located behind the firewall, however, the attack can cripple a corporate network until the server is restarted. ^[3]

^[3] Microsoft Corporation, Microsoft Security Bulletin (MS00-066), Patch Available for "Malformed RPC Packet"Vulnerability, www.microsoft.com/technet/security/bulletin/MS00-066.asp, September 11, 2000.

An attacker can even cause a major slowdown in service by simply using a large amount of network resources, such as copying large files to a network drive or sending large email attachments to everyone in the company. Insider denial-of-service attacks are extremely easy to detect ( assuming , of course, that the company has IDSs or network-monitoring tools on the network). The attacker could download a virus such as Melissa and purposely infect himself to disrupt network services. It is probably easier to divert suspicion by performing an act that can reasonably be viewed as negligent as opposed to criminal.

A rogue system administrator could change system passwords or delete critical system files. He could delete or withhold encryption keys. In one incident, a system administrator coded a shell script to clean up temporary log files each day. The script ran automatically and recursively deleted all the files in the log directory. The script failed to check the current directory before running and caused several critical servers to fail when it was run from the root directory. An administrator with root access could easily set up such a script and cause it to run either on a schedule or when a certain condition occurs (for example, when a person's supervisor logs in).

Like external attacks, insiders can also steal or misuse computer resources. This can range from inappropriate use of corporate computers to actual theft of hardware and software. Clearly defined and well- understood policies on appropriate and inappropriate usage will help mitigate the business risks and provide a framework for the appropriate disciplinary action if required.

Some employees have gone so far as to run a business on their company computers. Although an employee keeping a spreadsheet for his home-based business on a company computer might not carry a lot of risk, employees running web-based gambling sites or on-the-side consulting practices can consume corporate resources (not the least of which is employee time). They can also carry liability for the company if a customer or legal authority decides that hosting the employee's "other job" constitutes an endorsement of the service or product.

Other improper use of computing resources can consist of visiting inappropriate web sites, downloading data (including copyrighted or illegal material), or sending threatening emails. Downloading illegal material (such as child pornography or pirated software or music) can result in both civil and criminal actions against the company, especially if it is determined that the company was aware of the actions and failed to act on them. Companies can choose to block unauthorized sites (such as adult or hacker sites) at the web proxy server. They can also monitor web traffic and warn users who visit these sites.

Users who post to Internet bulletin boards should be cautioned against using company computers to post because it might tie the company name to the posting. System administrators and developers might post comments to technical bulletin boards or newsgroups. Often developers might ask a technical group for assistance with a particular problem. In doing so, however, they reveal sensitive configuration information about company systems that can be later used by an attacker. They might also respond to postings by other persons and provide answers or assistance (even including code fragments ). If this code is found to be faulty, the company can bear some liability for the employee's actions.

Threatening or inappropriate emails can carry liability for the company. Employees should be cautioned against posting or sending nonbusiness- related emails from company systems. It is hard to enforce a policy that strictly states that any personal use of company email systems is prohibited , but a reasonable compromise might be a policy that states that the systems are for business use primarily and that personal use should be only occasional . The policy should also enumerate what constitutes inappropriate usage of email systems, such as the spreading of viruses, sending chain letters , posting offensive content, and so on. The policy should not state that all data and messages on company systems are the property of the company. Doing so could make an organization liable for employee misconduct if, for example, an employee sends harassing emails to an external party. The company, in this case, would not want to claim ownership of the offending messages.

Employees can also use company computers as platforms to launch attacks. These attacks can be against either company computers or external systems. Attacks against other computers on the internal network might be motivated by a desire for revenge , simple curiosity , or a drive to gain information for personal gain. System administrators, because of their privileged status, are able to monitor network traffic, map users' drives , and read their email. Care should be taken when conducting sensitive discussions such as salary negotiations, potential reorganization or downsizing, or business planning unless participants are confident that administrators are not reading them.

Systems are also vulnerable to physical theft. Employees can steal laptops, disk drives, monitors , and other peripherals. Theft of memory chips is especially common in many high-tech companies. The chips might be taken home for personal use, or the employee might simply be "upgrading" his company system at the expense of others.

The theft of proprietary or sensitive company data is perhaps the greatest threat that an insider can pose. The employee might have legitimate access to the data or might gain access either by hacking into other computers or by stealing paper documents from printers, copiers, fax machines, or wastebaskets. If an employee is determined to send data out of the company, there is virtually nothing that can be done to stop it. The employee can email the data directly to a competitor. If email is monitored, the person can use a web-based email service such as Hotmail. If email is monitored for content, he can change the names and extensions of files, add files to zip archives, or encrypt files prior to transmission.

Encryption poses a special challenge because it can restrict the company's capability to search for sensitive data or evidence of abuse. Companies should address the use of personal encryption products in their usage policies so that employees know that unauthorized encryption will not be tolerated. Authorized encryption products can be a strong safeguard, especially for a traveling work force with laptops. However, the company must have a key recovery or escrow policy in case the employee is terminated or forgets the password. In some jurisdictions, the presence of encryption tools might open up the company to criminal liability. Some European and Asian countries , for example, do not allow any encryption products to be brought into the country unless the encryption keys are provided to authorities.

Employees can also remove data from the premises without using the network. They can copy it to floppies, CD-ROMs, or high-capacity disks such as JAZ or ZIP. With the advent of personal data assistants, it is now possible to copy large quantities of data (over 256MB at the time of this writing) to removable data storage on a PDA. With the right setup, this can even be done via infrared transfer without any wiring or direct connection. The data can be stored on a small card less than 2 inches square.

Data, even if it is not provided directly to competitors , can be extremely embarrassing or damaging to a company's reputation. Internal documents about potential mergers or downsizing have been posted to stock bulletin boards, resulting in a loss of stock value. Forged documents have also been posted. Even if the documents are not true, the company might be forced to respond to them, and the reputation or stock value might still suffer.

Employees can also pose as external attackers. At the time of this writing, there had been an increase in the number of extortion attempts against companies. Attackers would break into the systems, extract some data, and then threaten to either release the data or repeat the break-in unless the company paid them. In one incident, an insider removed sensitive data and then posed as an external attacker in an extortion attempt. The data could only have been obtained by someone with access to the computer systems, so the company was forced to take the threat seriously. An audit of the affected systems, however, indicated that it was extremely unlikely that the attack had occurred from outside the network. The investigation was shifted to concentrate on insiders who had access to the data.