We talk a lot about testing for security vulnerabilities from a hacker's perspective but we must not forget about those rogue insiders that can do as much, if not more, damage. Sometimes we are cognizant of the insider threat but often look past issues that may be screaming "HELP, your data's being exploited!".
When performing your internal tests, be sure to add the following commonly overlooked weaknesses to your testing to-do list:
1. Test for share, directory, and (if needed) file permissions to ensure that only authorized users can read, write, or do whatever to sensitive information on your systems. Do this for both servers and workstations. I come across a lot of shares and unprotected directories on Windows workstations -- oftentimes that anyone and everyone on the network has free reign to.
Create a new plain-vanilla domain user, login as that user, and see what you can see and touch. You'll likely be unpleasantly surprised. Also look at explicit share and NTFS permissions for groups and users as well. This can be very tedious work but it needs to be done if you're going to keep your systems locked down internally.
The best way to go about doing this is using the right tools. Figure 1 shows DumpSec's share permission function and Figure 2 shows LANguard Network Security Scanner's Share Finder tool. Both tools are great for tracking down and auditing specific permissions that would otherwise take forever to do manually.
Figure 1 - DumpSec can uncover down weak share permissions and more
Figure 2 - LANguard Network Security Scanner's Share Finder can track down shares, permissions, and more
2. Dig deeper and search your shares and directories for sensitive information that's not properly secured. You can use the text search capabilities of Windows Explorer but I prefer a faster and more robust freeware or commercial application like Google Desktop Search or Effective File Search as shown in Figure 3. Plug in some regular expressions and other text you think may point you to sensitive information such as "dob" for date of birth, "ssn" for social security number, and so on and see what your search utility finds. You may want to narrow your search down to text-based files such as DOC, PDF, TXT, RTF, XLS, etc. to cut down your scan times. You'll likely find unprotected sensitive information scattered about temp directories and the Windows desktop on local workstations and various directories on your file servers. If you don't find anything, you probably haven't looked deeply enough, so keep experimenting with your test queries.
Figure 3 - Use a text search utility to find sensitive information scattered about the network
3. Connect a network analyzer to your network backbone and see what's leaving the network. Again, another test that'll likely uncover some issues you didn't know existed on your Windows network. Simply connect your favorite network analyzer to your switch's mirror or span port (or to a local hub that your perimeter firewall is connected to) and see which protocols are in use and who your top talkers are. I like using EtherPeek SE for this because it has a "monitor" mode that will allow you get an overview of what's going on without having to go to the trouble of capturing actual packets. You can let your network analyzer run for a few hours in the middle of the day or over a period of a few days to get a good cross section. Either way, I'm confident you'll find traffic, conversations, and possibly even employee shenanigans you never had a clue were taking place on the network.
Figure 4 shows EtherPeek's discovery of questionable protocols that shouldn't have been on a network. Hmm -- encrypted POP3 e-mail, SSH, and AOL Instant Messenger all coming from the same intern's machine? You've got to wonder what's going on with a setup like this.
Figure 4 - A network analyzer's monitor mode can uncover security weaknesses you'd never know about otherwise
There's one final issue worth mentioning that's much less likely to occur than the misdeeds mentioned above but can still take place. This issue is a rogue insider exploiting a vulnerability he's discovered doing a quick vulnerability scan of the network. Using a number of free and easy to use tools, a contractor could scan a few hosts and come across a weakness such as the Backup Exec Remote Agent Authentication Vulnerability. If he has any computer-savvy about him, he could simply download and run Metasploit to gain a remote command prompt with full access to the system. All it takes is about 3 minutes and, boom, he's in! I've outlined how to use Metasploit for real-world security tests in this recent tip.
Some of these tests can take some time and effort to perform but they really need to be done to ensure your systems are secure from the insider threat. You don't necessarily need to run them each month or every quarter but at least make them part of an annual testing program.
About the author:
Kevin Beaver is an independent information security consultant, author, and speaker with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments. Kevin has written five books including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach).
This tip originally appeared on SearchWindowsSecurity.com
This was first published in March 2006