The "RISKY BUSINESS" Blog

"We need to fire our lead Security Architect - what do we need to do to ensure he can't hack back into our network after we let him go? " So began a recent call with a new client. In today's economy, I fear that this is a call that we will hear more often and that it is a risk that organizations need good guidance/assurance on.

Many control frameworks (e.g., ISO 27002, COBIT) provide generic guidance on this issue; however, despite my best efforts to Google the topic, I have yet to find more "actionable" guidance on this issue. For that reason, we have begun to compile our own list:

Pre-Firing

• Conduct a network/system level vulnerability assessment/penetration test to determine where you might be vulnerable externally. If your risk profile is high, it would be better to augment the VA/PT with a security architecture review to provide a higher level of assurance.
• Understand what systems are external to your organization for which the user may have privileged access: hosted web sites, ISP routers, exposed administrative interfaces on firewalls, DR sites, PBX interfaces. User account reviews and changing of administrative level passwords post-firing are likely necessary. Be aware that system to system communication may leverage these passwords and that some things may "break" if you don't map these dependencies before making the changes.
• Either war dial or perform a telecommunication audit to ensure that you have accounted for all POTS lines. A good security architecture is easily defeated by a back-door modem. Remember, many mainframes and SANs have modem support lines for DR purposes.
• Either war walk or conduct a wireless security audit to ensure that your WLAN is properly authenticating users, is not visible from public locations outside your buildings, is using an appropriately strong encryption scheme, and doesn't contain any "rogue" access points, which again can be leveraged as a back door to defeat even the best security architectures.
• Ensure that all remote access mechanisms - VPN, Citrix, Terminal Services, and Dial-up modems/RAS are secure. Determine if local authentication takes place at any of these points as post-firing you will need to disable the employee's accounts, do a review/clean-up of all accounts, and force a password change.
• Ensure that your physical security measures are sufficient to protect against unauthorized malicious entry. Try tailgating, validate that security guards check badges, and observe whether delivery personnel are granted access to areas where they should not be. It is common that we can compromise physical security with very simple social engineering tactics like these.
• Validate that you have backups of critical files/applications/configuration so that systems can be restored if necessary.
• Search Social Networks (LinkedIn, Facebook, MySpace, etc.) for your company's name. Although not a direct threat to your data's confidentiality, integrity or availability, the former employee might have noted his employment there. This is a good thing to do regardless if there are any pending layoffs or firings.

Firing

• De-provision access to all systems possible just prior to notifying the individual.
• Provide a severance package that spaces payment over several months and cites that the severance is based on their cooperation and good behavior. This is generally a very effective deterrent.
• Ensure that all assets: phones, PDAs, laptops, credit cards, keys, access cards, and tokens are retrieved and tracked.
• Do not immediately "re-issue" the laptop. Preferably, store it in a secure manner or make a forensic copy of the hard-drive if any suspicious, inappropriate, or criminal activity was suspected. Recently, the forensic copy was useful for a client when they were sued by the ex-employee. On review it was determined that the individual had forwarded dozens of confidential company documents to their home email address prior to leaving. The company counter-sued the employee and eventually won the case. Some companies will review the activities over the previous month or so to determine if the user had accessed sensitive data in anticipation of leaving.
• If the user enjoys administrative access to many systems, before their termination, have them continually observed while they work with a highly trusted individual who will acquire and change passwords for every critical system. We have seen too many instances where a network admin has been fired and escorted out of the building and only after the fact was it discovered that there were systems for which he, alone, knew the admin password.
• Notify all personnel immediately that the person is no longer an employee and that any communication with the individual needs to be reported to management.
• Notify all consultants, vendors, and business partners immediately that the person is no longer an employee and that any communication with the individual needs to be reported to management. One of our clients did not take this step and the fired employee had a consultant pull business critical data from a database and send it to his home email address. The ex-employee explained he was working from home and was having "VPN problems" so the consultant (not knowing the person had been fired two days prior) exported the data and sent it him. This was only discovered after the ex-employee sold the data and a poison pill in the data notified the company.

Post Firing

• Continue to de-provision access to all systems possible. Obvious points are Primary Authentication Servers, mail servers, file/print servers. However, there are often many local authentication points - WLAN, servers, business applications, network devices. For all high risk areas consider a user account review clean-up, and force password changes for all accounts, especially any "shared" administrator accounts.
• Force a password change for all employees (it is not uncommon for an admin to know other peoples' passwords.)
• For all critical systems (remote access, key applications, firewalls, etc.) validate that logging is enabled and working properly and monitor the logs for a period of time to detect any rogue access attempts.
• Leverage your IDS and/or outbound firewall rules/logging to detect any Trojans installed by the employee that may communicate outbound.
• Return to the previously identified Social Networks and ensure that there have not been any disparaging or false comments made about you (if you are the ex-employee's boss or a principal of the company) or the company. While this is not a direct threat to your data per se, disparaging and false information could damage you and your company's reputations, causing lost or diminished future business.

Get a copy of this article in a "brief" document form to reference or to share. Click here for download.

It is a common misconception that being compliant with a relevant standard (e.g., HIPAA or PCI) means that the associated data is “secure”, unfortunately, that is often a long way from the truth. We were involved in an interesting project this week that illustrates this all too well, where a “PCI compliant” customer, utilizing a “PCI certified” Point of Sale system (POS), was compromised (i.e., credit card numbers were stolen). Of greater concern to our client base as a whole, we determined that the POS vendor (one of the major players in the space), utilizes a common account name and password across all of their systems for remote support. Should you be using the same POS system – you may be vulnerable.

VISA notified our client (a specialty retailer) that they believed credit card skimming was occurring at one of their locations. This was determined by a clever anti-identity theft application that determined that three cloned cards used in Houston last week were all determined to have been legitimately used at this retail location in Boston approximately three months prior.

We got a call from their audit department after their initial investigation determined that different clerks had handled each of the transactions in question, and that collusion looked highly unlikely. They asked us to determine if their POS system had been compromised. The next morning one of our Security Consultants was on-site assessing the security of their POS and their network. He determined the following:

• The POS system was appropriately patched/configured and was not directly vulnerable to a local LAN based attack.
• The POS system was mistakenly left fully exposed to the internet. The client’s intention was to only expose the system to the IP address block owned by the POS vendor for remote support, however, the firewall was mis-configured.
• There were two successful logins to the machine that we were unable to trace beyond Norway.
• There were two successful logins to the machine that we were unable to trace beyond Czechoslovakia.
• There were ten successful logins to the machine that we were unable to trace beyond Chile.
• All remote logins were to a user account that is a member of the local administrators group that is used by the POS vendor for remote support.

Once we determined that the remote logins were not tied to trouble tickets, and the IP’s were not owned by the POS vendor, we disconnected the machine from the network and notified the customer. A conference call with the POS vendor left me exceptionally concerned. During the call the POS vendor indicated that the compromised account/password combination was used for remote maintenance of all of their POS systems. Further, we were advised that if we changed the password, that the POS system could no longer be maintained remotely.

It is remarkable to me that thousands of POS’s, transiting millions of credit card transactions per day, all share the same user name and password for an administrative account that is used for remote support!

When I expressed my concern the vendor pointed out that their system was “PCI certified” and pointed us to the attestation on their site. On further research we located a document on their site that indicated that the system was not PCI compliant UNLESS you changed the password for the common administrative account! Amazingly, even having been referred to Help Desk management – we were explicitly told that changing the password would prevent the system from being maintained.

We have handed over the investigation to local law enforcement, the FBI, and Postal police.

If your running a POS system, take the time to validate the configuration, review privileged accounts, and change password for any vendor supplied accounts. I would also suggest that you review the security logs to ensure that you can identify the legitimacy of all administrative level log-ins, especially those occurring from outside the LAN.

If you like business books, “The Speed of Trust” (http://www.speedoftrust.com/) by Stephen Covey (no not that Stephen Covey — it’s actually his son), is worth reading. In it he proffers a very simple, but profound, premise — that trust is a business lubricant — one that improves the effectiveness and efficiency of business relationships.

As an example, he recounts Warren Buffet executing a multi-billion dollar purchase of a company, over a few-hour period, as he had absolute trust in the CEO. His due diligence was reduced to a lunch meeting (no teams of lawyers and accountants spending months poring over financial statements and legal documents).

It really rang home this week when we expended more sales & marketing effort in securing a $2K external penetration test for a small bank, than we did securing a $70K security “Certification & Accreditation” project for a major governmental entity.

The difference, we have earned the governmental entities trust over a multi year period by consistently demonstrating character and competence while successfully executed on critical projects , it was the first time we had spoken to the bank.

One of the exciting assertions that Covey makes is that Trust is not a soft ephemeral entity, rather it is something tangible, that can be earned by consistent trust earning behaviors that he details. As a company that needs to be intrinsically trusted to perform the assessments we do, and whose job it is to provide management with assurance that the systems we are assessing are trust-worthy, his research in this area is of remarkable interest to us.

Trust is especially critical for us, as the level of assurance we provide is directly proportional to the trust our clients have in us. Accordingly, we have made a number of changes in the way that we operate to ensure that we are as demonstrably trustworthy as we aspire our customers systems to be.

How trust-worthy are you, your company, your vendors, your partners? How much is it costing you? The answer may surprise you.