SUBSCRIBE
Get what you need to know about information technology solutions to improve your agency.
subscribe now »
| » comment |  del.icio.us |
 digg this |
|
 reddit |
|
 rss feeds |
|
| RELATED | MOST POPULAR |
|
Creating a Virtual Test Lab
Using virtualization software in a test lab provides an excellent way to avoid disruptions to users during an IT project. A Network-Dependent Army
Army leaders identify process changes that the service must make if it is to achieve IT agility. Dynamic Network Defense
Top military brass set sights on forging a secure network so that warriors can have safe access to a common operating picture. Anti-Theft Measures
Anti-Theft Measures: Safeguard your computing devices with these theft-deterrent tools. When Disaster Strikes
As WiMAX emerges, does it offer a COOP option for secure communications? The Many Faces of Cloud
DISA, NASA and other early adopters are cutting costs and improving IT services through the cloud. From the Printed Page
Enterprise scanning stations let agencies capture data and make it immediately available to many users. Trend Micro Enterprise Security Suite
Enterprise Security Suite offers protection at nearly every level of an organization's network. The Many Faces of Cloud
DISA, NASA and other early adopters are cutting costs and improving IT services through the cloud. All Locked Up
Troy's MICR 3015 printer can secure sensitive files by controlling access to the trays. |
|
The Employee Who Never Leaves
Learn how to prevent that former employee from leaving behind a device that can expose your network to a security breach.
Your contractor or employee has turned in his or her badge and handed over the department-supplied notebook computer, and all the accounts have been disabled. But are you sure they are really gone? Despite your best efforts, advances in the technologies that go into portable computing devices are making it substantially more difficult to ensure the confidentiality, integrity and availability of your network.
Handheld devices play an important role for many organizations. Much smaller than a notebook but almost as powerful, they now support similar applications, and some can even run desktop and server-class operating systems. To facilitate our ever-connected life and work styles, many devices offer on-board Wi-Fi and third-generation services, and these capabilities can easily be added to older, cheaper devices as well. It is this inherent ability to communicate that makes these systems so dangerous. You need to think about this when employees leave — especially because the biggest threats to network security are internal.
Devices such as the CradelPoint PHS300 Personal Hotspot are coming close to bundling all this potential insecurity into a convenient, easy-to-use package, but it’s not difficult to use an inexpensive, older personal digital assistant (such as the Compaq iPaq H3600) to accomplish the same task. For less than $300, anyone can obtain the necessary components to build a device that sports 64 megabytes of RAM and multiple gigabytes of storage; wired, wireless and 3G connectivity; and Linux. With such a platform as a base, it would be simple for an employee to load tools that facilitate encrypted remote access, wireless- and wired-network monitoring and recording, or just a simple network scanner.
It’s Not Mission Impossible
Because these devices are small and have decent battery life, they can be hidden almost anywhere: a conference room, wiring closet, data center, lab space or even an executive office. They can be easily concealed in the ceiling, under the floor or inside a desk. With 3G Internet capabilities, gaining access to such a device is easy. Unconventional access is also available — and potentially more dangerous, because it can work even in a radio-frequency-shielded facility — but it can be a bit difficult to visualize.
This type of access requires outbound access through the use of a single Transmission Control Protocol port. Many organizations permit Internet Web access or the use of outbound TCP Port 80. This port — even if it is proxied — can be used to support an encrypted tunnel from a hidden PDA. The device can generate this tunnel or back door and configure it to terminate at a remote location, such as someone’s home. The tunnel could allow off-site, continuous, encrypted reconnaissance of your network.
When combined, these elements significantly increase the possibility of your organization falling prey to unwanted computing equipment that supports unauthorized remote access:
• Ease of installation of small, hidden computing devices
• Ability to create tunnels or backdoors that allow remote access
• Lackadaisical physical security
It’s Not Hide and Seek
Such a setup, if well-hidden, would be difficult but not impossible to find. Tunnel activity, such as log-on and file transfers, would mix in with Web traffic, and properly planned network scanning might look like background noise. Batch files or script programs could be written to support and maintain the tunnel, making the device almost totally self-sufficient. A savvy user could also write scripts that would automatically remove the tunnel and any associated files if someone detected or tampered with the device.
You can combat the threat using visual inspection, network access control, network device inventory, network discovery scanning, packet-shaping or protocol inspection and connection-state table monitoring (typically done on outbound routers or firewalls) — all tools that will help locate such devices. Once found and properly dissected, the offsite termination point of the tunnel could lead to identifying the responsible individual.
It’s the Basics
Many organizations support the use of Dynamic Host Configuration Protocol, making installation of a configured device as easy as plugging it in. Although the device could be placed anywhere, some locations might support sensitive information and so demand tighter controls. The best form for these controls might be different processes rather than technology. For example, network access to a data center should not be as easy as badging in and plugging in a device. Equipment installations in a data center should require filling out requests for power, rack space and network services — including network jack activation. Equipment removals should require requests for termination of power, physical device and network connections, with emphasis on deactivation of network jacks.
Controls in less-sensitive areas might not need to be as strict, but depending on the sensitivity of the systems and data, might still be needed. Additionally, physical security policies should also help defend against the placement of unwanted devices.
One of the best defenses available comes from making sure that employees know to report any unusual connection or wiring that they spot. Physical security policies may exist, but employees can become complacent. Periodic policy reviews are invaluable.
Although detecting a back door or tunnel is mainly a technical issue, reinforcing physical security controls, ensuring the effective use of process controls and heightening employee security awareness are critical to helping your organization avoid the threat of the employee who refuses to “leave.”
Phil Kostenbader, CISSP, works on global information security for Johnson & Johnson’s Network Computing Services group, and Bob Rudis, CISSP, is director of IT security and compliance at Safeco Insurance of Seattle.
[ Related Articles ]
COMMENTS
From: Dennis Flynn, Home
Phil is right on target. It's amazing how vulnerable may organizations are to this type of threat. I have an iPaq 3600 which I hacked to run Linux, and verified that I could do precisely the things Phil described (although I did not actually do them). Perhaps even more significant is the ability of "ex" employees to perform socail engineering attacks based on inside knowledge.
Home | Contact Us | About Us | Subscribe | Meet The Editors | Privacy | Site Map | Terms and Conditions
Copyright ©2010 CDW LLC | 200 N. Milwaukee Avenue, Vernon Hills, IL 60061