Thwart Attacks from Inside the Wire

When security software vendor eEye had its Web site defaced, the company
immediately suspected a “disgruntled employee.” Most internal attackers,
though, are stealthier. Intrusion detection methods that target internal
users continue to emerge. Meanwhile, companies should also use a range of
other security techniques to ward off abuses by their own employees.

eEye, which produces Spynet network sniffer, probably had good reason to
guess an employee was to blame. According to an account by UK-based VNUnet,
a message posted on eEye’s Web site read, “Would you trust a security
company that cannot even secure themselves?” Also on the defaced Web site,
the attacker charged that eEye mistreated its employees, savaged the
company’s products, and extended the contemptuous nickname “Chief Hacking
Officer” to eEye official Marc Maiffret.

The eEye incident happened in December of the year 2000. Studies since then
have shown that internal attacks continue to be a major threat. In the 2002
CPI/FBI survey, for instance, 59 percent of organizations surveyed admitted
to at least one internal attack. Sometimes, though, internal perpetrators
do get caught.

Earlier this year, a Manhattan paralegal was sentenced to prison
for allegedly stealing a confidential electronic document from his
employer, Orrick, Harrington & Sutcliffe LLP. According to materials released by the US Department of Justice, the document in
question was a trial plan for the plaintiffs in a tobacco-related
lawsuit entitled Falise et al. vs. American Tobacco Company. et al.

The paralegal stood accused of downloading the
trial plan from Orrick’s computer system, and of then sending an e-mail to
attorneys for defendants in the suit, offering to sell them the plan. After
being snared by an FBI undercover agent, who posed as a defense counsel,
Farraj pled guilty to conspiracy charges for wire fraud, transporting
stolen property interstate, and accessing a computer without authorization.

More typically, internal security breaches are handled inhouse. Companies
such as AccessData Development and NTI make forensic software that can be
used by law enforcers and corporations alike to track user activity on
Windows-based systems after evil deeds have already been done. An open
source program known as The Coroner’s Toolkit fulfills similar functions on
UNIX-based systems.

Obviously, it makes more sense on all sorts of levels to try to prevent
internal attacks before they happen. Intrusion detection systems (IDS)
constitute one approach that can be useful in prevention, although efforts
certaintly shouldn’t end there.

“Whenever you have an internal network, employees should also be considered
a threat,” says one security consultant, Edward P. Yakabovicz.

“You need to be continuously looking at new technologies in intrusion
detection, (as well as in) the layered approach and whatever firewalls you
use,” according to Yakabovicz.

Data from other surveys show that firewalls are still way ahead of IDS in
terms of organizational penetration. Firewalls, though, do have
limitations. Nir Zuk CTO and co-founder of OneSecure, flatly maintains that
“firewalls can’t detect intrusion.”

Although firewalls can control which traffic is permitted to enter and
leave the network, some of the traffic they allow may be nasty in nature.
Firewalls can be fooled by IP spoofing, as well as by techniques such as
embedding malicious code into innocuous-looking data.

Increasingly, though, firewalls are now being integrated with IDS. To give
just one example, the RealSecure IDS is designed to reconfigure either a
CheckPoint or Lucent firewall to reject traffic from the attacking source

Experts advise deploying combination of host- and network-based IDS. Each
carries advantages and disadvantages. Host-based IDS, for example, can
continuously monitor system files and system logs in search of suspicious
behavior. On the other hand, once a host is compromised, its IDS can be
easily commandeered as well, points out Yakabovicz. Network-based IDS are
geared to broader-based detection.

Some vendors, including ISS, have been developing so-called “hybrid” IDS,
aimed at bringing together best-of-breed technologies from both the hostand
network-based worlds.

Beyond protecting the enterprise network from outside interlopers, IDS can
be set up to safeguard individual departments such as accounting and
marketing, for instance. One technique is to place a network-based IDS
between the division’s systems and the division router, for example.

To catch internal miscreants, though, the IDS system should be designed to
detect “anomalous use” – behavior that differs from “regular” activity on a
particular network — as opposed to “misuse.”

By overcoming the inflexibility of signature-based technology, anomalous
systems are “truly the way the future is headed,” Yakabovicz advises. “You
need to have a smarter technology,” he adds. For obvious reasons,
organizations should devise different rule sets for internal versus
external users.

It’s also quite possible, though, for external attackers to dupe the
network into treating them as company employees. Way back in the late
1990s, a researcher at the University of Virginia coined the phrase “pseudointernal
intruder” to refer to this type of miscreant.

“Since 1980, the intrusion detection community has divided intruders into
two categories (internal and external) based on the intruder’s access to a
system. The proliferation of distributed systems with complex networks has
necessitated a reexamination of intruder definitions. We define a new
category, the pseudo-internal intruder. This new category encompasses
intruders without user accounts who circumvent the perimeter defenses of a
modern distributed system and attack the system via its network,” wrote
Brownell K. Combs, who was then a grad student in the university’s Computer
Science Department.

Outside of IDS and firewalls, other technologies useful in fending off
internal attacks can include authentication, encryption, and user
provisioning, to name a few.

The good news is that organizations often have greater recourse against
internal perpetrators. Employees can be required to agree to policies
around security and intellectual property when they first join the company.
If they break the rules later on, they can lose their Internet access
rights, for instance, or even their jobs.


See All Articles by Columnist
Jacqueline Emigh

Latest Articles

Follow Us On Social Media

Explore More