War stories from the front lines of network security

A consultant relates a couple of real-life experiences he had while security testing.

By Joseph W. Popinski III, CPP CISSP CISM

Over the past five years of managing network vulnerability assessments and penetration tests as a consultant, I've uncovered several "situations" that, from a network security viewpoint, border on the unbelievable. Below are two brief accounts. Could either of these happen to your company?

Just make it work!
During a vulnerability assessment of a small professional company's office network, I discovered a network wiring connection "error" that appeared to allow both internal and external e-mail to operate efficiently. The office manager hired a local network wiring vendor to design, install, and configure the office's network, which consisted of servers, workstations, printers, wireless access points, and other miscellaneous devices. The vendor provided and installed a hardware firewall that provided security control functionality between the internal network and the company's Internet connection used for Web access.

The company initially limited itself to internal e-mail between management and staff. However, over time, the temptation to use e-mail to correspond with the rest of the world via the Internet was too great, and the office manager asked the network wiring vendor to arrange external e-mail and just make it work. The vendor installed and configured an e-mail server. Management and staff were absolutely delighted with this new capability to correspond electronically with just about anyone on the Internet.

One of the first steps in performing a network vulnerability assessment is to review and understand the topology or architecture of the network under study. Architectural analysis showed that the e-mail server had two network interface cards installed. One terminated on the core switch and the other outside of the firewall. The network wiring vendor was asked about this wiring configuration and replied that it was the only way he could get the external e-mail to the mail server because he couldn't figure out how to build a firewall rule to allow SMTP traffic through the firewall. This dual-homed NIC capability on the mail server effectively bypassed the firewall, rendering any protection it provided useless.

When we analyzed the data, we saw that the servers had been compromised and root kits installed allowing access to the company's sensitive proprietary information. We also determined that one of the servers was set up as a relay for attacking other sites on the Internet. Needless to say, the company was shocked by the exposure they had from this seemingly simple external e-mail solution.

The moral of this story is to hire a qualified consultant to make any architectural or functional changes to your network, and then make sure that your integrity has not been compromised by these changes.

Dial access, who cares?
On Monday morning, a CIO from a health care company called to ask for help. "Can you help me figure out what's going on here?" he asked. We replied, "Can you tell me a little more about your situation?" The CIO told us that since late Friday his T-1 line to his ISP was almost fully saturated with outgoing traffic and his staff was somewhat at a loss to determine the source of this traffic. This health care company relies very heavily on their Internet connectivity for customer inquiry, insurance claims filing, sales, and other business functions. In fact, without their Internet connection they would be hard pressed to do any business at all. So a "loss" of their Internet access was a major disruption both operationally and financially.

It didn't take long to determine what happened. The company was very diligent in administering its firewall and limiting conduits to just the ones needed to support their business functions. The system administrators were competent in setting up the firewall, core switches, and servers. However, the company had not yet moved to the VPN world and relied heavily on dial access for remote users. When we analyzed the remote access server (RAS), we saw that there were more authorized/active accounts than employees, let alone employees who needed remote dial access.

Forensics analysis showed that an outside hacker had gained access to the internal network via a RAS account, which was still set to default values. Once inside the network, he got access to a file/print server and the firewall. A conduit through the firewall was installed, a video file loaded to the file/print server, and its location announced to the "dark side" of the internet world.

So over the weekend, multiple outgoing downloads of the video file just about consumed all of the company's T-1 Internet connection bandwidth. The culprit was left-in default values in the dial access server. It almost put this company out of business for several days.

Editor's Picks