Stopping Insider Scans

I’ll admit it. I’ve knocked on doors before, while sitting at Starbucks.

“Knocking on doors” here means running port scanners like Nmap, or vulnerability scanners like Nessus or Nexpose, to see if that guy in the suit across the room is using a laptop that’s vulnerable to exploits. I was much younger then. WiFi was just introduced, and to a guy born with a curious mind like mine, this was exciting stuff. I wasn’t a hacker or cracker by any means, neither did I dwell too much in doing malicious scripts, but it was just curiosity that got me going.

I did find myself on the good side of the law soon, running DHL’s global security group in Asia, and there faced monumental challenges like random denial of services,and naughty scans from external.

However, it is usually the insiders that do us in.

I’m sure you heard before, a secured perimeter is only as strong as its weakest link. And the weakest link is usually inside. A disgruntled employee. A corporate spy. A curious, idle employee with too much time on his hands, and reading too much Network Security Online articles. Whatever the case, every company will have its day in the sun. It’s just a matter of when.

For instance, we ran our penetration testing services for a network. We usually don’t have too much issues in the scanning phase, where we enumerate services and probe a little for vulnerabilities. Our standard process was to inform our client when we were doing exploits. One thing we’ve learnt in almost every project we’ve done.

Not everything goes according to plan.

It was an internal penetration testing, but we weren’t given much details on the network or servers as agreed and we ran several IPs scan at once. Soon, our technical client came back to inform that their servers were not doing too well, and one of the virtual servers running HA has rebooted. We immediately stopped the scans and realised that the IPs given were all running on VM. Nessus and VM does not play nice. Do a search on nessus on communities.vmware.com and pick your poison.

Thankfully, nothing serious occurred, which shows us again how important it was to have people ready and standby especially in PenTest and to follow certain set procedures and standards. We continued the pentest exercise with greater care, taking into account the vulnerabilities of Nessus and VM, and using alternative scanners.

Which shows, how simple it is for someone to DOS (Denial of Service) a network, with just a vanilla Nessus running. What can a company do about it?

Well several options are there:

1) IPS/IDS (Intrusion Prevention/Detection System). These babies usually run on the network points and works wonders to detect scans and stop them, among other thing. We used to run Tipping Point a lot in my previous companies. The problem here is that for a flat network, how do we want to run this? The server needs to be segregated into its own server segment, and an IPS laid out in front of the network point. In a flat network where everything is plugged into a single IP address space, it still can be done, I suppose, but probably not the best way.

2) HIPS/HIDS (Host IPS/IDS). It’s like a mini gun compared to a gatling gun. It runs on critical servers and works about the same way, except that the network interface gets hit before the intrusion prevention services kicks in. It’s pretty effective and we ran a lot of Symantec previously.

3) If those don’t do the trick, then we could probably secure every end point. If we want to secure internal attacks, the best way is to properly guard your asset. Control all your laptops through proper asset management, no administrative capability to install Nessus and an asset scan to ensure nothing naughty has been somehow installed on by enterprising employees. You might want to control/choke up the USB ports as well.

4) Finally, set corporate policies. Many companies fail to do this and we don’t know why. Document what will happen if activities like scanning is done. Make sure employees understand their obligations to the company and sign acceptable use policies before giving them corporate-owned assets, bought by corporate owned money. Sometimes a little awareness works better at prevention.

There are probably other ways I’ve missed out, but generally this would be how we’d deal with idle employees with too much time on their hands scanning our network. That, and putting them on a cold-storage project to wash out their curiosity, maybe.

Leave a Reply