Inside Job

Enterprises are beginning to realise that the greatest threat to their security is not from unknown sources, but their own employees.

  • E-Mail
By  Zoe Moleshead Published  December 29, 2002

Vulnerabilities|~||~||~|The term hacking often conjures up images of so-called computer nerds pitting their brains against supposedly impenetrable IT systems, or in the case of cracking, targeted attacks against a selected high profile web site or system to deface or destroy it. Such images leave many companies believing that they are not at risk from such attacks; the reality, however, is a different story.

“Companies say ‘we’ve been around for 10 years now and we have never been hacked.’ The fact is by 10:30 in the morning they have probably had their IP addresses and ports scanned 10-15 times by people who haven’t got a clue who they are and are just searching around. If they find something that is open, they investigate a little further,” says Dean Bell, managing director, Scanit.

However, more alarming than the regularity of such scanning procedures is the fact that many of these attacks are actually facilitated by internal users or practises. A mix of poorly configured systems, sloppy user practises and disgruntled employees all serve to undermine security.

“Your people are your greatest asset, but they are also, unfortunately, your greatest vulnerability. It’s people’s perceptions of security that makes them insecure,” comments Bell.

As such, staff are often the first port of call for so-called crackers that are looking to break into systems, and in some cases, employees are even the perpetrators of such attacks. While many companies believe protecting their systems with a host of firewalls, intrusion detection systems (IDS) and other perimeter security tools will provide adequate security, if the attacker is already inside the system these products become irrelevant.

“Enterprises often believe that once they close the door on the internal network it is safe, and that only the network exposed to the internet or outside is vulnerable, but once attackers get into a network they can bunny hop around,” comments Bell

“There are far more exploits available for the local [internal] level than there are for the remote level,” concurs Sachin Deodhar, a security professional based in Dubai.

“As a remote user, a hacker can identify certain weaknesses and exploit them to gain user level access, but once they are a user on the system they have access to higher levels of information. They can run a program locally on the system to exploit other weaknesses,” he explains.

More disconcerting is the fact that many attackers actually gain access to the internal network via employees, mismanagement of passwords and usernames being the most obvious exploit. One of the first steps in attempting to break into an IT system is social engineering whereby employees are unwittingly primed and pumped for any information about the IT infrastructure of their company.

“For social engineering attacks, a cracker could pretend to be from the domain name registration company and call up the company’s web site administrator and say ‘because of a systems crash we have lost some of your information and we would like you to refresh the information by sending an e-mail to this address.’ And in eight out of 10 cases this will be successful and they will get passwords and confidential information, which would allow them to take over that domain and change the registration information,” says Deodhar.

In some cases, flippant comments outside of working hours or unattended PCs that are logged into the network proffer an easier route to important details about the IT infrastructure.

However, it is not just the average employee that comes under fire for sloppy practises, disgruntled ex-employees can also vent their frustration and extract valuable information from their former companies because they still have active network accounts.

“Do systems administrators delete e-mail accounts and user profiles when employees leave and how long does it take them?” questions Bell. “These [accounts] are easy to overlook and open up systems,” he continues.

Poorly configured IT systems also increase security holes and vulnerabilities and are again the fault of systems administrators. “What lets people into systems is poor configuration, knowledge and education. Bad configuration is just like an open door,” says Bell.

||**||Hacking tools|~||~||~|Additionally, senior management comes under fire from local security consultants that stress the importance of dictating security policies and procedures from the top down. If company practises are not clearly outlined to individuals and policed on a regular basis, then vulnerabilities are to be expected.

“Security is very much left to junior members of organisations. It is a retrofit, afterthought policy — companies put systems in and then look at how to secure them. That suggests that security is not high enough on the CEO’s agenda that he can understand the benefits of having a structured and secure policy in place upfront,” says Martyn Molnar, business solutions architect, Tech Access.

Clearly defined security policies also help to define procedures with regard to corporate information and, as a result, ex-employees are less likely to walk out with a copy of their company’s database on a disk in their pocket, or even have that database e-mailed to them by a former colleague.

However, as the region’s enterprises begin to recognise the potential damages that cracking can cause to both a company’s reputation and bottom line, they are starting to invest in security policies and penetration testing.

“We have got a couple of clients that are now starting to work with us because they understand that putting in a security policy procedure and understanding the people issues upfront is something that does contribute to the bottom line,” says Molnar.

“We emphasise the business case — if your web site was defaced how much would that cost you? Probably somewhere between US$1 and US$1 million. But if someone hacks into your e-commerce site and takes your database of customers and their details, how much will that cost you? It’s a lot of money and a lot more than an audit or a firewall,” cautions Bell.

In response to the growing demand for penetration testing or threat vulnerability management, an increasing number of security consultancies and hacking courses have been established. While the aim of consultancies is to simulate attacks against a client’s systems to identify potential vulnerabilities, the security courses are designed to demystify hacking and provide security professionals with a knowledge of the tools and methodologies that are used to carry out such attacks.

“Security skills are fairly embryonic in the region,” says Molnar. Consequently, Tech Access is working with Scanit and Sun Microsystems in the vendor’s i-Force centre at Dubai Internet City to test security solutions and provide education to security professionals.

“We want people to be able to test their own systems and that is what we teach them during the courses. We encourage companies to train their people to perform basic tests on a regular basis, and when they require specialised work we are usually called in. This way we also work as a double check for them to ensure they haven’t missed anything,” explains David Michaux, CEO, Scanit.

With so many hacking tools available on the internet and new exploits developed almost daily, self-testing and an understanding of hacking tools and techniques is essential.

“We try and teach students how to make the best use of a number of the tools that are available on the internet. This includes showing them what actually happens when they run a test and why it is happening. In [other] courses we teach the students how these tools are actually written and how to write their own tools to meet the needs of their networks,” says Michaux.

Scanit also gives away free hacking tools during its courses. The aim is to familiarise participants with these products while negotiating configuration issues and the threats or bugs that can result from downloading the tools from the internet.

“We give away hacking tools with our courses; they are available on the internet, but its tools that often have to be configured with scripts,” says Bell

“Hacking tools are available from a number of different places on the internet, the problem is that you never know what else you are getting with the tools when you download them,” confirms Michaux.

Furthermore, the courses are aimed at reducing some of the negativity that precludes the idea of hacking and its tools. Both Tech Access and Scanit emphasise that the courses are not designed to create a counter culture of hacking, instead the aim is educate participants about how they can use these tools to test their security systems and ultimately enhance their protection against such attacks.

“These tools are not things that you buy off the shelf; these are tools that evolve. We don’t want to develop hackers, what we want to do is educate people about the tools and strategies that are available in the market to harden their infrastructure in a short period of time and then test its strength. That’s the philosophy we want to create, we are not using the i-Force centre to create a sub-culture, a hacking culture,” comments Molnar.

||**||Skills shortage|~||~||~|A more worrying issue for the region is the lack of skilled security professionals. While courses can provide them with an improved level of knowledge, hackers are often highly skilled and resourceful individuals. As such, enterprises still need to rely on outside sources for in-depth and up-to-date penetration testing.

“In terms of skills, the penetration test requires a lot of skills — people that know operating systems very well, especially Unix and Linux. It is important to know how systems, services and so on operate because many hackers tend to go inside the kernel of the operating system,” says Dr. Amine Mehablia, head consultant of ComGuard.

Bringing in outside parties to test systems not only tackles the skills issue, it also offers impartial testing. Security consultants will carry out a host of tests to assess the weaknesses and vulnerabilities within a company’s network. These tests usually take a phased approach, starting with information gathering and social engineering, before moving onto the systems, scanning devices and attempting to gain entry onto the network.

“The enterprise infrastructure can be checked by remote infrastructure security assessment — both intrusive and non intrusive tests, onsite infrastructure assessment of the corporate and perimeter networks, application security assessment, and testing the network, operating systems and databases for any vulnerabilities,” explains Ayman Esmat, regional director, strategic services, Internet Security Systems (ISS) Middle East.

The result of such tests should ultimately identify vulnerabilities in the system and outline the tools or procedures to patch them up and protect against any potential threats. However, with new threats continually evolving it is important for enterprises to maintain levels of security, carry out independent penetration tests on a regular basis and also have expertise in-house, in the form of an independent security department.

Security consultants advise enterprises to establish security units that are completely separate from the IT department, and answer directly to senior management.

“Many companies have their own internal IT department play a dual role, but when the IT departments tries to audit itself you can predict the results. They are going to cover up as much as they can, provide a truthful sounding report and say we are quite well protected and only need to buy additional firewalls and IDS systems to be even better protected,” comments Deodhar.

“Security should be a separate department from IT — it is two different ways of thinking. The IT manager thinks about keeping the network online, the security manager thinks about processes and testing the IT systems,” confirms Dr. Mehablia.

However, with regional enterprises moving increasingly into the e-age with web sites and e-commerce initiatives, attitudes towards security are slowly starting to change. Enterprises are beginning to recognise that security is paramount to their business credibility and reputation and, as such, are reassessing the tools and techniques that they can employ to protect their IT infrastructure from both internal and external hacking.

“The Middle East was known as the paradise for the hackers,” says ISS’ Esmat. “However this statement is no longer valid. Senior managers have realised that they cannot join e-commerce, e-business, e-government and other e-initiatives unless they have a secured infrastructure that can be trusted by other parties,” he adds.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code