Another Good Reason to Increase Internal Security

Well, the much anticipated 2010 Verizon Data Breach Investigations Report is out, and once again it is an eye-opener! Let me say what a boon these reports are to the infosec community! Verizon and their team are to be praised and congratulated for all their hard work. These reports really help us keep current so we can protect our information from the right threats in the right ways. I know it’s not a large scale study, but I do feel it gives us good indications of trends and threats in the industry.

This particular threat report mainly gives us the data breach picture for 2009. It was compiled from nearly 900 actual incidents and includes a lot of input from the U. S. Secret Service this year. One of the surprising results of this particular report was the 26% increase in data breaches from insiders. It seems that organized cybercriminals are promising money to insiders with access to administrator level credentials. Unfortunately for these naïve inside individuals, it is proving very easy for the authorities to catch them. Also, it seems, the cybercriminals are usually not even paying them as promised! Despite these facts, it is evidently fairly easy to find plenty of insiders that are willing to sell their credentials. Go figure!

There are several ways to help counter the insider threat. The easiest thing you can do right off the bat is to ensure that those with high level access to the system don’t use the same credentials for their administrator and user accounts. You’d be amazed at what a common practice this is! All cybercriminals have to do is bust a few user level accounts and there is a VERY good chance that they will then be able to gain administrator level access. Administrator level passwords should be long, strong and ONLY used for administration purposes.

Another very effective method to counter the insider threat is to use true multi-part authentication mechanisms for administrative level access to the system; especially with very effective mechanisms such as tokens. Employing this practice means that cyber criminals not only have to steal credentials, they also have to get their hands on a token. And even if they do, it only gives them a short time to act; admin tokens are usually missed very quickly. There is also the option to employ biometrics. These can be problematic, but are improving all the time. And effective and reliable biometrics are even harder to overcome than token use.

You might say that good passwords, biometrics, and tokens won’t keep actual system and database administrators from selling out to the bad guys, which is true. However, there are other mechanisms available that can prevent lone bad-actors from compromising the system. One effective practice is management monitoring of high level access. If, every day, managers are looking at who accesses what and when, then the difficulty of stealing or corrupting data goes WAY up! Also, there are applications out there that can send out alerts when high level access is underway.

Another method, and a tried and true one, is the use of dual controls. If it takes two individuals to access systems, then cybercriminals have to corrupt two individuals and it becomes even easier for the authorities to figure out who the rats are. I don’t recommend this control except for very high value assets. The downside is that it’s a hassle to implement. There ALWAYS has to be at least two individuals available at all times or access becomes impossible. There are vacations, lunches and breaks to consider, and what happens in true emergencies such as floods, snow storms and the like? But this is a control that has been in use since long before computer systems were in place and it has proven to be very reliable.

These certainly aren’t all of the controls available to help counter the inside threat. I’m sure that you can come up with some others if you give it a little thought. But used individually, or even better, in combinations, should go a long way in protecting your data from the bad guys within!

“Scattersensing” on the Cheap for Insider Threats

I have been working with several clients to create a new process for combating insider threats. This new approach we have been calling “scattersensing”. Using this technique (or a variation of it), you can cheaply, effectively and efficiently identify overt insider threats that may be occurring around your organization’s network.

Scattersensing, when done with this method, costs less than $130 per scattersensor! Here’s what you need to do one scattersensing point of security visibility:

One older laptop or desktop system with a CDRom and a network card:

I use an old Gateway Solo like the ones found on this EBay page. None of the laptops on this page cost $100 and many are under $50. My scattersensor laptop that I use in the lab is a Pentium II 300 MHz with a small amount of RAM. The CD drive is built into the machine. The battery is long dead, but the rest of the hardware works. I bought the 100 Mbit PCMCIA card at a garage sale for $5, but they are also available on the cheap from EBay and a lot of other places. We don’t even really care about the hard disk, since we can run the entire system from a LiveCD if we need to, or if you have a working hard drive, you can do a hard disk install and make it even easier to use as you move it from place to place. You could also do this with just about any standard desktop, workstation or old PC you have laying around anywhere or can obtain at a garage sale or thrift store.

Now that you have the hardware, you need the operating system. For our approach, we suggest Puppy Linux. It has been tested to work as desired and can be easily hardened with a password change. You can read more about it and download the ISO image from here. Download it and burn it to a CD. You can then do the optional hard disk install if you like, simply follow the directions from the Puppy Linux site and/or from the included installer. (You may need to wipe the disk first if an NTFS partition is present). Cost of the operating system: FREE

Next, we need a copy of HoneyPoint Personal Edition from MicroSolved. You can get the zip file from here for Linux. To have the application run longer than 15 minutes at a time, you need to purchase a license for $29.95 from the online store here. Digital River will send you a license key via email. Use that license key when you first start HPPE and it will unlock the application for that system. You can use the license key over and over again on the same system if you are using a LiveCD (so keep it handy) or it will be maintained by HPPE if you did a hard disk install. Now, install, start, configure and license HPPE on your scattersensor.

Here is a picture of a scattersensor I use routinely in the lab and in the field for training/exercises. It is the Gateway Solo I referred to above.


OK, so now that you have a scattersensor built, what next? Next you deploy it. You place it in your network environment, using it to detect overt insider threats like scanning, malware probes, bot-net activity and anyone looking around the environment. Since the services that are being offered by the HPPE deployment aren’t real, there is absolutely NO REASON you should see any activity at all. Any activity you do see, should be treated as suspicious at best and malicious at worst. Investigate any activity you see, period. Many organizations find things like misconfigured software, holes in ACL’s or the like and of course, the variety of attacks previously described.

Using scattersensor(s), you can easily move them from network segment to network segment on a semi-random schedule. Move them to the DMZ for a week or so, then on to the server network segment, then to a partner network, then to workstation segments. Build more than one and cover a lot of areas easily. For small to mid-size organizations, a couple of scattersensors with HPPE may be more than enough to give you good security visibility and coverage. Many organizations have used the scattersensing approach for a while and then moved up to use the full blown HoneyPoint Security Server enterprise product.

There you go, a first light touch on the subject from Operation Anaconda. A way to easily (and incredibly cheaply!) get security visibility in a powerful and evolutionary way. Give it a try and let us know how you fair. You can report your updates and progress in the comments or via the #anaconda hash tag on Twitter. Good luck out there!