As administrators, we often devote a lot of energy to external security. We install firewalls to protect the network from outside hackers. We use encryption to protect the data we send over the wire. We use group policies to control who has access and when. However, too often, we forget that the greatest threats can come from those who already have access to the network. I'm going to share the story of how one administrator dealt with an internal attack on her network and how it caused a reevaluation of internal security in her organisation. Meet the enemy
Internal security has always been a priority in the company where Debra works as a senior network engineer. Management has made it clear to users that they are not to share passwords and should never attempt to access information they are not intended to access. In fact, breaking either one of these rules can be grounds for termination. Nevertheless, that didn't stop one particular new employee from becoming a nuisance. A new associate in sales came to the IT department shortly after he started working at the company and wanted to talk about an idea he had to save the company money. Upper management encouraged IT to work with him since the idea involved cost savings. The company was considering purchasing an expensive software package. The sales associate claimed he could put together the same system using Linux, some other readily available open source packages, and a little programming. He met with IT and diagramed it all on a white board. It was impressive, and it sounded pretty easy to set up. All he needed to begin was a network connection for his Linux box. Feeling pressured by administration, IT gave him access but explained he would need to work with IT and contact them when he needed assistance. Mistake one
Debra was given the task of working with him on the project. She had been learning Linux and looking for areas where the company could use it on its network. She was excited about the project, but like her boss in IT, she was a little hesitant about the new associate's ideas, which seemed too good to be true. The new associate's office was equipped with two network connections: one to his company-supplied Windows NT PC and the other to his Linux box. He was not given any special access. He was a domain user like any other normal user. He was instructed to contact Debra if he needed additional access. About a week later, an IT employee was walking through the part of the building where the new associate had his office and noticed something out of the ordinary. A small generic network hub was plugged into a nearby network jack and was being used to span the port. A network cable was connected to a nearby server. This server was part of the project the new associate was working on. The hub was removed and the incident was reported. When confronted, the associate apologised and said he just wanted to get going on the project and didn't want to bother IT. Once again, he was informed that he needed to work with IT on this project. IT explained that a cable run was ordered and should be completed the next day. The break-in
A few days later, Debra was given the task of setting up his e-mail. She attempted to connect to his PC via PCAnywhere and received an error that the machine was not present. She checked Server Manager and verified the PC was active on the network. A check of the services on the associate's PC revealed that the PCAnywhere service had been stopped. She started the service without problem. Right away, she became suspicious. The PCAnywhere service typically does not stop unless it has a problem on startup. She checked the event log of the PC and didn't see any messages indicating the service had failed to start. She proceeded to connect and begin the Outlook setup process. At the end of the process, an authentication dialog popped up. Something was wrong. The IT departments has Outlook set to use the NT logon, and the only time the logon will appear is when NT does not recognise the account that is trying to access the mailbox. Debra clicked on the Start button to see who was logged on and was shocked to see "administrator." She turned to her manager in IT, who was standing behind her, and said, "He's changed the administrator password on this machine." To verify this, she logged off and attempted to log on with the administrator password. The password had been changed.