User circumventing security

pts.
Tags:
Application security
Database
Encryption
Instant Messaging
Microsoft Exchange
Secure Coding
Security
We have a rogue user who knows more than she should. She can grant herself and other users the authority to access files that are supposed to be secured. Does anyone know of how we can monitor her activity or go back and review what she has done or anything that we can do. We think she may be using a different User ID. There are several we believe she may be using and we have changed those passwords. She's knows we're on to her and probably won't do anything for a while. In the past she has made the comment "if you knew what I was doing, you'd take it away from me". Does anyone have any ideas?

Answer Wiki

Thanks. We'll let you know when a new response is added.

First, make sure your procedural and policy ducks are in a row and carefully align what you do and say within that policy. Second, think through your priorities. Suspecting one end user has acquired super-user access may have serious overall implications — such as potential violation of defense contracting requirements or HIPAA obligations. Perhaps the priority should be a rebuild of your access control structure; since one “known” violation suggests there could be others. Third, obtain line management support at an appropriate level before, for example, installing key board capture or other detection measures.

Discuss This Question: 21  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Layer9
    At this point you want to hire a security professional. It is clear that this user knows more than you do about network security, and you are not going to be able to monitor and control her using the knowledge taken from one post. Thats why security consultants work in the field, for just such an occasion. Chris Weber Layer9corp.com
    0 pointsBadges:
    report
  • Bobkberg
    Solutions has made several good suggestions. First off, I'd like to emphasize what he or she said. Before you get into any monitoring situations that are tied directly to the users computer: MAKE SURE that you have line management support on this - probably HR also. But be prepared for some waffling - take notes, keep records. That said, there are other things you can do that are general. You didn't specify what operating system(s) you're using, so any technical details are going to differ depending on that answer, so I'm going to have to be general here until you post more relevant details. If you're in a windows environment, list out all of the members of the administrators group, and check their login history. Turn on security auditing for logins and for system/file/folder access for likely machines - then check regularly. If you're in a Unix/Linux environment, check all user and group ID's for root equivalence, or root group membership. If you find more than you know about, then check regularly for login time/date, and where it occurred from. If you're using NIS, check all user ids there also. But - bottom line - if you don't get management support, email them about the matter clearly, and keep their response. It will be your "Pearl Harbor" file. Bob
    1,070 pointsBadges:
    report
  • ChinaBJ
    I think you should have both IT rules and technical method to prevent this happen again. For IT rules, you can ask help from TOP management team. It is dangerous for you company. For technical method, in addition to Layer9?s suggestions, first, you can install remote control client on her computer from server and log her actions. Second, If you have window 98 sharing, stop them. It is also necessary to stop windows 2000 server?s support for previous windows authentication. Third, you should implement IPsec to encrypt the communications of your server.
    0 pointsBadges:
    report
  • Mstallings
    Mouse if you are using os/400 or i5 operating systems check your public access level you might also check if she has all object authority.
    0 pointsBadges:
    report
  • Layer9
    There are some products out there like the Vernier networks appliance, which will allow you to restrict users internally, but you really have to know what you are doing to use them. In order to stop this power user from circumventing your networks security, you will need to bring in a security consultant. You cannot learn what you need to know about protocols, operating systems, security appliances, layer 2, 3 and 4 traffic control, etc from a post in here. Chris Weber Layer9corp.com
    0 pointsBadges:
    report
  • Bouncybrit
    no disagreement from me, make sure all your ducks are lined up. check your policies and make sure that all appropriate use is defined. make sure all your users have signed an agreement to the effect that if they access anything that they shouldn't they are fired. (wirk with your legal team on the correct language) Work with management and HR to get permision to begin your investigation. hire a proffesional to come in and run the investigation. work closely with the person you hire so that you know more when you are done and can avoid the mistakes inthe future.
    10 pointsBadges:
    report
  • Robert Davis
    All of the other replys to your query appear appropriate. However, in addition to the provided reponses, I suggest your organization enlist the aid of a Certified Information Systems Auditor (CISA).
    90 pointsBadges:
    report
  • TIMWATSON
    IN KEEPING WITH MY PAST REPLIES TO OTHER QUESTIONS, THIS ONE WILL HAVE THAT SAME OFF THE WALL QUAILITY. ALL POSTS TO THIS QUESTION ARE VERY GOOD, AND SHOULD BE IMPLEMENTED. FIRST YOU MAY WISH TO TRY INSTALLING A VIRTUAL MACHINE, CONFIGURED TO BE AS ALIKE THE INSTALLED OS AS POSSIBLE. FROM THERE SEE IF THE VM COULD INTERCEPT ALL INPUT (OR AS COMPLETE A BLANKET AS YOU CAN), TO INCLUDE THOSE WITH ADMIN ACCESS OR BETTER. THIS MAY SLOW ACCESS SOMEWHAT. FROM THERE BEGIN TRACES. SEPERATILY YOU COULD LOOK FOR THE HIDDEN PLACE WHERE THIS PERSON IS STORING THEIR PROJECT (OR OTHER INFO?). IN THE PGP MANUAL (RTFM IT MANY YEARS AGO), IT SAYS (WORDS TO THE EFFECT OF) THE WAY A PERSON TYPES THEIR PASSWORD (CADENCE, AND SPEED), CAN BE/OR IS (I FORGET) A PART OF THEIR PASSWORD. I HAVE READ RECENTLY OF SOFTWARE THAT WILL TRACK PEOPLE BY THE WAY THEY TYPE. FINALLY, IF THEY REALLY ARE THIS GOOD, CONSIDER HIRING THEM AS HEAD OF SECURITY, WITH FULL LEGAL LIABILITY (NOT MEANT AS A JOKE.).
    0 pointsBadges:
    report
  • Layer9
    You know it's also possible that she just has someones password. Chris Weber Layer9corp.com
    0 pointsBadges:
    report
  • This213
    I have to agree with Layer9 on this you should seriously consider hiring a security consultant. I also agree that they may have just gotten their hands on someone's password. While all of the posts have been good ones, I find it interesting that there's been no mention of the authentication mechanism in use, or what OS's and resources are involved. There may be options available to you that would not require your getting approval from anyone (depending on your role and your company's policies). In knowing which resources are being accessed, you should be able to trace the accesses to those resources - whether those resources are files in a filesystem or user changes in AD. If you're set up so that you're not logging accesses to resource, I would ask why and strongly encourage you to do so form this point on. If you're in a Windows environment, there are tools for this - if you're in a *nix environment, the tools are most likely already in place. bobkberg makes some good points in this direction. I think the responses regarding user monitoring are reactive at best. If your security is in line, you shouldn't have to resort to this. The only way I would see this as being beneficial would be to set up a honeypot (something TIMWATSON alluded to) and set up monitoring on the systems the attacks are coming from - which you'll know once you've set up/gone through your access logs. From this, you'll be able to see exactly what was being done to gain access in the first place. However, I'll reiterate that this is purely reactive - your security should be such that it shouldn't matter exactly what methods are being used at the client. You obviously have a hole somewhere and you need to plug it - whether that hole is a corrupt password, improper default user access levels or open ports on your DC. The thinking here is that anyone could walk in and just plug any old machine into the network (because it happens). Your network security should be such that it would be protected from that machine just as much as it?s protected from any registered client on the network. As far as monitoring just to "catch them in the act", you should already have all of the evidence you need in log files as to who did what - again, if you don't have such logs, I would ask why not. I would also suggest that you have your network penetration tested, both externally and internally, even if it does turn out to be just a corrupted password. You never know how strong something is until you try to break it and there are plenty of companies out there who do nothing but. Besides, you're probably going to have to get penetration tested sooner or later to comply with federal regs. As a final note: Document everything. Create a situation file for this and get hard copies of all of the logs of the affected systems (just the pertinent parts, mind you) and put them in there. Also document your actions to remedy the situation and put that in there also. Send emails to your higher-ups detailing the situation as best as you can, inform them of such file and it's location - and how they can view a *copy* of the contents of the file. Put any emails regarding the situation into the file as well. Note that I said a *copy* of the file, always follow the maxim: CYA. The bottom line on this file is that anyone (management, auditors, etc) should be able to open that file and see the entire situation - as bobkberg stated, it's your "Pearl Harbor" file. Jeremy
    0 pointsBadges:
    report
  • Layer9
    Amen to the Pen Testing. Jeremy is right on the mark there. An internal security analysis would reveal whatever weakness this user is exploiting. Also I feel guilty just telling you to get a consultant and not offering any technical advice, so here, do this. Assuming your Layer 2 network is a Cisco or other SPAN compliant vendor this will likely reveal what they are doing. Trace back from the desktop to the actual switchport her workstation is connected to. If you don't have a current wiring diagram or a coding system you can use a cheapo toner to trace it back to the switch. (If you don't know how to use a toner to do this let me know and I will walk you thru). Then trace back your own desktop to the switch as well. Hopefully they are plugged into the same switch, if not, then you will want to plug a laptop in from inside the wiring closet. Once you have the port number on the switch log onto the switch, enable SPAN if it is a Cat, and set the port your desktop or laptop is plugged into as the MONITOR PORT. Then set the port that this girls system is plugged into as the MONITORED PORT. Then on your desktop download Ethereal, (www.ethereal.com) (or use Sniffer or Etherpeek if you have it)and install it on the desktop. Set a filter in your protocol analyzer to filter on her MAC or IP (I would use the MAC, it's a surer bet in case she is really IP spoofing)to all other systems. In other words you are only seeing the traffic to and from her desktop, from any other desktop or server on the Switch. Examine the packet captures between her and the logon servers particularly, and with the system or systems where the files she is accessing are stored. These packet captures will show you what she is doing to get in, or at least point you in the right direction. Believe me, it works every time. Now if you don't have a switch that supports SPAN then it's time to upgrade the network. And if none of this means anything to you, then you really want to consider bringing in that consultant. Chris Weber Layer9corp.com
    0 pointsBadges:
    report
  • Sidzilla
    I think we tend to forget the non technical solutions. The thing I would do is make sure that HR is on board with the fact that circumventing security is a fireable offense, then take the offending employee in to HR and ask her what she is doing, how she is doing it, and why she is doing it. If she doesn't answer all three and agree to stop, fire her on the spot.
    0 pointsBadges:
    report
  • ItDefPat1
    Overall, very good suggestions across all so far. Let me try to outline: MANAGEMENT must be on board. HR, Legal and various others should be involved. Are you addressing as to breaking policy or doing something illegal or something that could have financial or regulatory/compliance impacts to the company. Legal and financial may need the involvement of various law enforcement agencies. In the US, there are at least 4 (four or more) agencies that may get involved depending on type of criminal activity: -FBI: foreign adversary, sexual predator, fraud -Dept. of Justice: hacking, intellectual property, theft of trade, industrial espionage; there are at least one Cyber crime specialist DoJ AD in each jurisdiction. -US Treasury: counterfeiting, financial access, fraud, identity, banking, telecom, cellular cloning -Homeland Sec - critical infrastructure and terrorists Additionally, as a few stated, regulatory & compliance issues abound if your organization must adhere to things like HIPAA. There are an abundance of regulations like Sarbanes-Oxley that may affect a broad range of organizations. Meanwhile, back at your management, you need to be explicitly authorized for investigative oversight. Or hire an IT auditor (CISA). Most of the agencies I listed above may provide guidance even if they won't get involved. Management again: you must have published and generally known (by users) policies in place. Otherwise, nothing any of us has said matters. Some have mentioned that you may even want to have users sign documents. You can also take a training approach, and mandate attendance. State that the reason for the class is to assure user compliance. (That would be a big slide or front page!). This is bit less obtrusive and easier to get the users on board. But it takes time to deploy. Either way, you must have good company policies. After policies, after legal (if applicable), after you are authorized (get it in writing), after policies, then maybe start some technical actions. You can choose corrective or investigative approach. If you just want to stop the activity, corrective. Or you are directed to investigate violation for possible company or legal recourse. To correct, the first step to control is probably ?IDENTIFICATION AND AUTHENTICATION? (I&A). Are your I&A polices appropriate? Do you have policies on things like Password length, use of accounts, etc. These are the next layer of policies. After this are the technical policies ? configuring your systems to require users to do this and that. If this can help, RESET THEM ALL. Change all users passwords. Or add a user/password management tool ? there are a great number of software (install on servers, domain controllers, etc.) as well as appliances. APPLY IMPROVED POLICIES. The next thing is related (usually) to I&A: AUTHORIZATION. Every OS provides very good access controls at the file system. Windows has NTFS; there are various for the Unix & Linux, including NFS. IMPROVE PERMISSIONS. There are a great many of documents on that provide guidance on these: reduce Write, Execute, Group and other powerful privileges (what these are called varies by OS). And finally, you can add encryption. This can require a bit of effort and expertise depending on approach. But even this will ultimately depend on I&A. Also, if you can restrict people to logon to a specific computer only (can?t login from everywhere), then you can add restrictions to where the computer can connect to. You could do a variety of filtering using Layer 2 switches (e.g. VLAN) as well as TCP & IP restrictions (Layer 3&4). VLANS need a router to connect to other VLANS, so you wind up either needing to do router or firewalls to connect to anything. Both will provide very good auditing of activity. You can also add I&A to the network devices to control access from one network to another. There are various I&A tools, like kerberos, EAP/LEAP, 802.11i/x, TACACS, etc. depending on your environment. If you are directed to do more investigating, then you have several options. If she is operating from a corporate PC, then you can do the VLAN-Router/Firewall approach. You can also install a keystroke monitor or bot. This may be legally challenging ? get management, legal, etc. involved. Get authorization to install this in writing. You can use ncat, netcat, metasploit and or any number of similar tools. You could even use tools like PCAnywhere or other remote control. Also, most OS will have options for a variety of auditing. Turn on more auditing. Auditing can hurt overall system/network performance, so use carefully. Syslog (unix, linux) is very handy. There are syslog clones/ports for Windows also. A lot of vendors have tools. Be sure your logs are secured, especially if you are going to use in legal actions. You should add this to most systems and network devices: you want to follow her everywhere. There may be some dispute, but it probably will be better/easier to fix than to investigate. Fixing will prevent future, enable you to detect, etc. This one bad insider may be tip of the iceberg: she may have corrupted other people (into doing wrong). And if she can get away with it, maybe someone from the outside could get in undetected. FIRST: PROTECT, DEFEND, & MEND. If you do that, you probably will have the ability to investigate anyways.
    15 pointsBadges:
    report
  • TIMWATSON
    TO this213; THANK YOU FOR THE GOOD WORDS TOWARD MY POST. LAYER 9, VERY GOOD INFO, I WILL BE GOING TO YOUR SITE, BASED ON YOUR POSTS. bobkberg, AND ALL OTHERS, RIGHT ON TOP OF THIS, AS USUAL. TO THE PERSON THAT SUGGESTED FIRING THE 'OFFEDER'..., MY EXPERIENCE HAS BEEN, IT IS NEVER AS SIMPLE TO DO THIS AS IT SEEMS. TO LIST JUST A FEW REASONS, FIRST YOU MAY HAVE TO PERFORM SOMETHING LIKE THIS (THE TYPE OF SECURITY BREACH THAT IS BEING DISCUSSED), ON BEHALF OF THE COMPANY THAT YOU WORK FOR. WHAT IF THE CxO (CEO, CFO, CIO, ETC.) IS THE PERP AND THEY ARE NOT IGNORANT OF THE SYSTEM (COMPUTER/TELCO)? IF YOU (SECURITY IT PRO) DO NOT HAVE ACCESS TO THE CxO's PROFILE, RESUME, KNOWN LIKES/DISLIKES, ETC., HOW WOULD YOU KNOW IF HE/SHE FAITHFULLY ATTENDS EVERY HACKER (SO-CALLED) TYPE EVENT IN THE KNOWN/UNKNOWN UNIVERSE? IS THE PERP ACTING ALONE? HAS SOMEONE BEEN WATCHING SAID PERP..., AND NOT TELLING ANYONE ELSE, MAYBE WITH THE IDEA THAT THEY CAN RIDE ON THE BACK (SO TO SPEAK) OF THE PERP, AND FULFILL THEIR OWN AGENDA? AND IF YOU KNEW, OR (MAYBE WORSE FOR YOU) IF YOU DID NOT KNOW THAT THE PERP IS DIRECTLY RELATED, IN SOME WAY TO THE CxO? BETTER THE EVIL THAT YOU KNOW? EYES WIDE OPEN. TIM.
    0 pointsBadges:
    report
  • ItDefPat1
    At TIMWATSON said, and I also agree, firing can be challenging. Expecially if they have root/admin kind of access, and if they want, they might do damage. Also, as I said, you need to have corporate and maybe legal justification to do so (depends on your local laws). If not, it could be worse for the company legally. And as Timwatson said, what if this rogue is close to someone in the C-suite? If the type of rogue activity is bad enough, it might be better to go to the top (CEO, President or Legal) or outside law enforcement for guidance. Either way could be thin ice for the GOOD GUYS. There have been a couple of cases where the GOOD GUY was fired, arrested and/or sued for investigating violation of law or policy (reported in SANS.org as I recall). Walk carefully and have important friends.
    15 pointsBadges:
    report
  • TomLiotta
    After all of this, _still_ no info on what platform is involved nor anything about what kind of business environment nor any business policies might be in force. In companies/agencies I've worked for in the past... hmmm... 20 years, this wouldn't be a problem. There was _always_ someone with LEGAL liability who had sufficient authority. (Note that legal 'liability' is not necessarily the same as 'responsibility' in the business.) The individual with liability needs to be taking action just to keep his or her self out of jail. But then again, maybe this is just a small office, a privately run business and the network is run by the owner's nephew. A mix of Win95/98/2K on the desktop and a maybe even a Win2K server. And everybody in the office is good pals with everyone else and always trying to 1-up the others. Quite possibly nothing useful can be done since there is zero budget for any "security professional" and the nephew doesn't know even what Ethereal is, much less any tools that might be useful. Knowing zero about the context of the problem, zero useful info can be given. Tom b
    125,585 pointsBadges:
    report
  • Recovery1
    I must agree with most of the comments made regarding this matter. Not only do you have Legal responsibilities regarding the breach of the other employee accounts but if in some strange situation any malice occurs how to you find and hold the individual responsible. As a electronic cyber crime and fraud investigator we always suggest that you protect your current investment which is your user integrity as well as the data contained on the system. In large corporate systems a user that is rogue can cause countless minor damage to data structure and other related matters and have it appear to be initiated by another user in this situation. This is a serious legal matter. The other issue is you do not have any hard proof that this is occurring. In the event that you are wrong and you falsely accuse an employee you have other serious legal problems. My professional suggestion is the following. Hire a security consultant that specializes in fraud investigations and is an expert at forensics. This will provide you the legal information you need in the event you wish to proceed with pressing charges against the employee if any breach of security or other illegal or un-ethical events have occurred and are proven. The next thing I would do is install a Keylogger on the PC of the user you suspect and from that report the daily activities to base a educated opinion on before making the next decision. We have experienced many of these cases and in most cases we can identify the individual and obtain the proper evidence in a legal and proper manner so court action can be started. Also with hiring a 3rd party to do the investigation other then law enforcement (who will not go to this extent to prove a crime that may or may not have been committed) you omit the issue of bias regarding the investigation. Finally this can be done by remote access in most cases but in some serious cases on site services will be necessary. The main goal is to prove the theory and then prove the occurrence and identify them and correct them before any damage is done to your systems or data structure which is a serious consideration if you manage and host sensitive customer private data. Get a consultation and find out your options. In a case like this be pro-active not re-active.
    0 pointsBadges:
    report
  • Margaret Rouse
    Posted on behalf of DiegoDH: I agree with Sidzilla in that non-technical solutions must also be taken into account. One of these is to have proper policies and procedures in place. Another is to make frequent revisions of users existing in the systems and their level of access ("certifications of Users and Permissions"). These mitigate 2 different risks: that of having users in the system that should not exist, ant that of the authorized uses having more privileges than needed to do their job. Regarding taking the offending employee to HR directly, be cautious: you may need to provide evidence that she is culprit of something illegal. Ask HR and Legal departmensts first, and see what the company internal policy says (if such policy does exist at all).
    1,950 pointsBadges:
    report
  • Sidzilla
    I hope I wasn't misunderstood. The post said that the user had definitely been accessing secured files and giving others access to the same. Firing is always a last resort, and is always best done with caution. However, it was my impression that the evidence of the breach was already there. Oftentimes it is best to proceed with haste in a situation where security is an issue. A long drawn out investigation or an open confrontation seems to be the choice. If the employee is already identified, and the files she has altered the security rights to are already evident, it would seem the investigation is over. If the employee is confronted, the most important aspect of the scenario is the confession of HOW she was doing it, to prevent future breaches. Firing would happen only if the information is not given up in an expedient manner. Hiring a network security specialist to find out what this employee already knows seems redundant.
    0 pointsBadges:
    report
  • Gforce11
    This type of scenerio is exactly why the need for trusted computing environments exists, which come from the military paradigm, and will be the way of the future. Ideally, your internal controls should be set up so that internal access of data by authorized users is limited to only what they need to do their work. Mandatory access controls go a step beyond user ID, which more or less stop at the front gate. The second component involves auditing, as already mentioned. This is absolutely required when dealing with authorized users. It can be transparent to the user, and flag any attempts to access unauthorized files, or abuse data which they do have authorization for. If you lack auditing, you really have no security, and no forensics. As a simple definition of a trusted system is that not even the system administrator can cheat the system, it can act as a disincentive against internal abuse, since users know that every action, even authorized ones, will be logged and kept. How many such problems would disppear if you had this level of internal control?
    0 pointsBadges:
    report
  • ToddN2000
    Not knowing how she is getting access is an important issue to resolve before any action is taken against her. Mainly for fear of a revengeful employee. She may have something as simple as a key logger installed on a users workstation or system with the authority she is looking for. She could then access this key logger info after hours. To some she would look like a dedicated employee. All the time she is a threat to your network. Additional info on the hardware and software would provide some more specific solutions. It's not enough we have to worry about our own people abusing the network but you have to be aware of outside threats as well. We all hear rumors on security flaws as well, the best I heard was a member of a contracted nightly cleaning crew putting a hardware key logger on the company president's PC. Then at night he would log in and read the confidential e-mails on the company business. He then had access to the presidents paswords, and credit cards when he booked business trips. Not sure how you would prevent this scenario. Unless deny access to the network after thier scheduled work day .
    13,050 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following