It is a common conception within the information security community that an organization is more exposed to internal threats rather than threat from external sources. In fact, it is a truth which most of the organizations find hard to digest and invest a major share of the annual budget on securing the information assets of the organization, rather than educating and making the employees aware of the importance of best security practices that needs to be exercised in their day to day activity and paying more attention to the internal network security.
The real life incident explained below gives a clear picture on how a disgruntled employee can compromise the security of the information assets of an organization using easily available tools in the internet.
- The user surfs the internet from a cyber café in search of Key Logger software and finds Key Logger software which is of limited size, so that it can be send over the E-mail.
- The user renames the software as “Purchase Order” before sending it to his official mailbox, so that the spam filter configured in the mail server does not detect the attachment.
- The user receives the software in his official mailbox, bypassing the security controls implemented in the E-mail Server and he downloads the Executable file on his desktop.
- The antivirus installed on the system detects the malware and prevents the installation.
- Since the user is part of a domain with limited rights, to install the software he logs out of the domain and he login as local administrator. Since the system is running on Windows XP, it doesn’t enforce mandatory password for local administrator account. The user disables the antivirus software and installs the malware in the system by login as local administrator.
- After successfully installing the software he login backs to the domain as a normal user and starts the key logging functionality of the software.
- The user with the objective of obtaining the Domain administrator password gives a call to the systems support dept. on the pretext that he requires to install the java software.
- The system support person copies the java installer on the user system and using the ‘run as administrator’ option, runs the executable file and installs the software in the user system.
- The user opens the key logging software and to his delight the password of the domain administrator is displayed in clear text. Now this makes the normal user, the owner of the Windows Active Directory Domain.
What actions the user could have performed after obtaining the Domain Administrator password, I am leaving it to the reader’s imagination. This is not the case with all the organizations, most of the organizations don’t user domain administrator password to install the software.
How this incident could have been prevented ?
- While implementing security controls most of the organizations use a top to bottom approach by installing Firewalls, IPS, IDS, creating DMZ etc. so that it is protected from all possible external threats and leaving the internal network exposed to security threats, with a false sense of security.
- In this scenario, the risk could have been reduced to an acceptable level, if the organization could have used a bottom to top approach by understanding the requirements of the users and providing only the required access/privileges to the user with proper business justification.
- The E-mail access provided to the user could have been restricted only to send/receive E-mails within the corporate domain. Restricting sending/receiving E-mails outside the corporate domain. A user is not required to communicate with external parties using corporate E-mail, unless there is a proper business justification and necessary approvals.
- As a best practice, during the installation of the operating system, a strong password could have been set for the local administrator account, which could have prevented the user from installing the application.
- To prevent the user from accessing the domain controller after obtaining the domain administrator password, the RDP connection to the Domain controller should have been restricted only to a limited number of IP addresses.
Obvious question which could come in the reader’s mind is that, why should the user use the E-mail as a medium to transfer the software, he could have used a USB drive. As per the organizational policy, no USB storage devices are allowed inside the office premises. The access to personal E-mail IDs is also restricted using an internet proxy server.
There could be other methods as well using which this incident could have been prevented. It would be nice if the team members come up with the suggestion/ideas by which this incident could have been prevented.
Disclaimer: The steps mentioned in the incident is school boy stuff,but the impact which it can create to the business can be huge. The steps mentioned in the incident should not be replicated by any individual. Unauthorized access or attempt to access unauthorized information is a punishable offence. The writer/owner of this blog is not liable/responsible for any unauthorized activities performed by any individual. This is only a knowledge sharing/ Discussion forum.