Security tips for dealing with a rogue user, Part 2

QUESTION
From: mouse333
Date Sent: 03 Nov 2005

We have a rogue user who knows more than she should. She can grant herself and other users the authority to access files that are supposed to be secured. Does anyone know how we can monitor her activity or go back and review what she has done? is there anything that we can do? We think she may be using a different User ID. There are several we believe she may be using and we have changed those passwords. She knows we're on to her and probably won't do anything for a while. In the past she has made the comment "if you knew what I was doing, you'd take it away from me." Does anyone have any suggestions?

Response 12
From: Layer9
Date Sent: 06 Nov 2005

Amen to the pen testing. Jeremy is right on the mark there. An internal security analysis would reveal whatever weakness this user is exploiting.

Also, I feel guilty just telling you to get a consultant and not offering any technical advice, so here it is.

Assuming your Layer 2 network is a Cisco or other SPAN compliant vendor this will likely reveal what they are doing:

1. Trace back from the desktop to the actual switch port her workstation is connected to. If you don't have a current wiring diagram or a coding system you can use a "cheap-o" toner to trace it back to the switch. (If you don't know how to use a toner to do this let me know and I will walk you through it). Then trace back your own desktop to the switch as well. Hopefully they are plugged into the same switch -- if not, then you will want to plug a laptop in from inside the wiring closet.

2. Once you have the port number on the switch, log onto the switch, enable SPAN if it is a Cat, and set the port your desktop or laptop is plugged into as the MONITOR PORT. Then set the port that the rogue user's system is plugged into as the MONITORED PORT.

3. Then (on your desktop) download Ethereal (it's free) -- or use Sniffer or Etherpeek if you have it -- and install it on the desktop. Set a filter in your protocol analyzer to filter on her MAC or IP (I would use the MAC -- it's a surer bet in case she is really IP spoofing) to all other systems. In other words, you are only seeing the traffic to and from her desktop from any other desktop or server on the Switch. Examine the packet captures between her and the logon servers particularly and also with the system or systems where the files she is accessing are stored. These packet captures will show you what she is doing to get in -- or at least point you in the right direction. Believe me, it works every time.

I think we tend to forget the non technical solutions. The thing I would do is make sure that HR is on board with the fact that circumventing security is a fireable offense, then take the offending employee in to HR and ask her what she is doing, how she is doing it and why she is doing it. If she doesn't answer all three and agree to stop, fire her on the spot.

Response 14
From: ItDefPat1
Date Sent: 07 Nov 2005

Overall, very good suggestions so far. Let me try to outline:

• Management: Management must be on board. HR, legal and various others should also be involved. Are you addressing breaking policy, illegal activities or something that could have financial or regulatory/compliance impacts to the company? Legal and financial implications may need the involvement of various law enforcement agencies. In the US, there are at least 4 (four or more) agencies that may get involved depending on the type of criminal activity:
  • FBI: Foreign adversary, sexual predator, fraud
  • Dept. of Justice: Hacking, intellectual property, theft of trade, industrial espionage (there is at least one cyber crime specialist in each jurisdiction)
  • US Treasury: Counterfeiting, financial access, fraud, identity, banking, telecom, cellular cloning
  • Homeland Security: Critical infrastructure, terrorism

• Legal: Regulatory and compliance issues abound if your organization must adhere to things like HIPAA. There are an abundance of regulations like Sarbanes-Oxley that may affect a broad range of organizations.

• Authorization: You need to be explicitly authorized for investigative oversight. Or hire an IT auditor (CISA). Most of the agencies I listed above may provide guidance even if they won't get involved.

• Policy: You must have published and generally known (by users) policies in place. Otherwise, nothing any of us has said matters. Some have mentioned that you may even want to have users sign documents. You can also take a training approach and mandate attendance. State that the reason for the class is to assure user compliance. This is bit less obtrusive and easier to get the users on board, but it takes time to deploy. Either way, you must have good company policies.

• Technical actions: You can choose a corrective or an investigative approach. If you just want to stop the activity, corrective -- or you may be directed to investigate the violation for possible company or legal recourse.

  Corrective approach: You need to control Identification and Authentication (I&A). Are your I&A polices appropriate? Do you have policies on things like password length, use of accounts, etc. Next, you need to configure your systems to require users to follow these policies. Change all users passwords. Or add a user/password management tool -- there are a great number of software options available -- install on servers, domain controllers, etc, as well as appliances. Apply these improved policies.

  • Every OS provides very good access controls at the file system. Windows has NTFS; there are various for the Unix & Linux, including NFS. Improve permissions. There are a great many of documents that provide guidance on these: Reduce Write, Execute, Group and other powerful privileges (what these are called varies by OS).
  • You can add encryption. This can require a bit of effort and expertise depending on approach, but even this will ultimately depend on I&A.
  • If you can, restrict people to logon to a specific computer only (i.e., they can't login from everywhere), then you can add restrictions to where the computer can connect to. You could do a variety of filtering using Layer 2 switches (e.g. VLAN) as well as TCP & IP restrictions (Layer 3&4). VLANS need a router to connect to other VLANS, so you wind up needing to set up a router or firewalls to connect to anything. Both will provide very good auditing of activity. You can also add I&A to the network devices to control access from one network to another. There are various I&A tools, like kerberos, EAP/LEAP, 802.11i/x, TACACS, etc., depending on your environment.

• Investigative approach: You have several options:
  • If she is operating from a corporate PC, then you can do the VLAN-Router/Firewall approach. You can also install a keystroke monitor or bot. This may be legally challenging -- get management, legal, etc. involved. Get authorization in writing to install this. You can use Ncat, Netcat, Metasploit and or any number of similar tools. You could even use tools like PCAnywhere or other remote control.
  • Most OSs will have options for a variety of auditing. Turn on more auditing. Auditing can hurt overall system/network performance, so use carefully. Syslog (Unix, Linux) is very handy. There are syslog clones/ports for Windows also. A lot of vendors have tools. Be sure your logs are secured, especially if you are going to use in legal actions. You should add this to most systems and network devices -- you want to follow her everywhere.

  There may be some dispute, but it probably will be better and easier to fix than to investigate. Fixing will prevent future, enable you to detect, etc. This one bad insider may be the tip of the iceberg; she may have corrupted other people (into doing wrong). And if she can get away with it, maybe someone from the outside could get in undetected. First: Protect, defend and mend. If you do that, you probably will have the ability to investigate anyway.

To this213, thank you for the good words regarding my post. Layer9, very good info -- I will be going to your site based on your posts. Bobkberg and all others, right on top of this as usual. To the person that suggested firing the "offender"... my experience has been that this is never as simple to do as it seems. To list just a few reasons:

• You may have to perform something like this (the type of security breach that is being discussed) on behalf of the company that you work for.
• What if the CxO (CEO, CFO, CIO, etc.) is the perp? If you (the security IT pro) do not have access to the CxO's profile, resume, known likes/dislikes, etc., how would you know if he/she faithfully attends every hacker-type event in the universe?
• Is the perp acting alone? Has someone been watching said perp... and not telling anyone else, maybe with the idea that they can ride on the back (so to speak) of the perp and fulfill his/her own agenda?
• And if you knew or (maybe worse for you) if you did not know that the perp is directly related in some way to the CxO?

Better the evil that you know? Eyes wide open.

Response 16
From: ItDefPat1
Date Sent: 07 Nov 2005

I also agree, firing can be challenging. Especially if they have root/admin access -- if they wanted, they could do damage.

Also, as I said, you need to have corporate and maybe legal justification to do so (depends on your local laws). If not, it could be worse for the company legally.

And as TIMWATSON said, what if this rogue is close to someone in the C-suite? If the rogue activity is bad enough, it might be better to go to the top (CEO, president or legal) or outside law enforcement for guidance. Either way, it could be thin ice for the "good guys." There have been a couple of cases where the "good guy" was fired, arrested and/or sued for investigating a violation of law or policy (reported in SANS.org as I recall). Walk carefully and have important friends.

After all of this, still no info on what platform is involved, nor anything about what kind of business environment, nor any business policies might be in force.

In companies/agencies I've worked for in the past... hmmm... 20 years, this wouldn't be a problem. There was always someone with LEGAL liability who had sufficient authority. (Note that legal 'liability' is not necessarily the same as 'responsibility' in the business.) The individual with liability needs to be taking action just to keep his or her self out of jail.

But then again, maybe this is just a small office -- a privately run business and the network is run by the owner's nephew. A mix of Win95/98/2K on the desktop and a maybe even a Win2K Server. And everybody in the office is good pals with everyone else and always trying to one-up the others. Quite possibly nothing useful can be done since there is zero budget for any "security professional" and the nephew doesn't know even what Ethereal is, much less any tools that might be useful.

Knowing zero about the context of the problem, zero useful info can be given.

Response 18
From: Recovery1
Date Sent: 08 Nov 2005

I must agree with most of the comments made regarding this matter. Not only do you have legal responsibilities regarding the breach of the other employee accounts, but if in some strange situation any malice occurs -- how to you find and hold the individual responsible? As an electronic cyber crime and fraud investigator, we always suggest that you protect your current investment which is your user integrity as well as the data contained on the system.

In large corporate systems, a user that is rogue can cause countless minor damage to data structure and other related matters and have it appear to be initiated by another user in this situation. This is a serious legal matter.

The other issue is you do not have any hard proof that this is occurring. In the event that you are wrong and you falsely accuse an employee, you have other serious legal problems.

My professional suggestion is the following:

• Hire a security consultant that specializes in fraud investigations and is an expert at forensics. This will provide you the legal information you need in the event you wish to proceed with pressing charges against the employee if any breach of security or other illegal or un-ethical events have occurred and are proven.
• The next thing I would do is install a keylogger on the PC of the user you suspect and from that report the daily activities to base an educated opinion on before making the next decision.
• Identify the individual and obtain the proper evidence in a legal and proper manner so court action can be started. Also with hiring a third-party to do the investigation other than law enforcement (who will not go to this extent to prove a crime that may or may not have been committed), you omit the issue of bias regarding the investigation.
• Finally, this can be done by remote access in most cases, but in some serious cases on-site services will be necessary. The main goal is to prove the theory and then prove the occurrence and identify them and correct them before any damage is done to your systems or data structure which is a serious consideration if you manage and host sensitive customer private data.

  Get a consultation and find out your options. In a cases like this, be pro-active not re-active.

Posted on behalf of DiegoDH:

I agree with Sidzilla that non-technical solutions must also be taken into account. One of these is to have proper policies and procedures in place. Another is to make frequent revisions of users existing in the systems and their level of access ("certifications of Users and Permissions"). These mitigate two different risks:

1. Having users in the system that should not exist
2. Having authorized users with more privileges than they need to do their job

Regarding taking the offending employee to HR directly, be cautious -- you may need to provide evidence that she is the culprit of something illegal. Ask HR and legal departments first, and see what the company's internal policy says (if such policy does exist at all).

Response 20
From: Sidzilla
Date Sent: 09 Nov 2005

I hope I wasn't misunderstood. The post said that the user had definitely been accessing secured files and giving others access to the same. Firing is always a last resort and is always best done with caution. However, it was my impression that the evidence of the breach was already there. Oftentimes it is best to proceed with haste in a situation where security is an issue. A long drawn out investigation or an open confrontation seems to be the choice. If the employee is already identified and if the files she has altered the security rights to are already evident, it would seem the investigation is over. If the employee is confronted, the most important aspect of the scenario is the confession of HOW she was doing it -- to prevent future breaches. Firing would happen only if the information is not given up in an expedient manner. Hiring a network security specialist to find out what this employee already knows seems redundant.