Wednesday, July 25, 2007

Reason Number 1 why we need a stronger security policy

As I finished my last post, I remembered a minor, yet aggravating incident that occurred today.

The manager of international customer service has one employee. That employee is responsible for handling international orders, quotes, and the like. That employee happens to be on a two week vacation. So, around lunchtime, the manager comes to my desk to ask me a question; and I could tell she wasn't too comfortable. Her boss, the VP of Sales and Marketing was wondering how the bulk of the international orders were going to be entered if the person doing it was not here. A fine question. It was suggested that the manager just log into the employee's machine, read the mail and handle the order.

So, she was at my desk to find out how she could log into her employee's machine. I glared at her, and she basically knew the answer. I don't know everyone's password; and there's no way to find the password. Could I just reset the password, yes. Would I. No. I calmly explained that the "policy" is that I can't allow access to the employees computer. The manager calmly explained that she had been to HR's office and that the Director of HR had given permission. The manager asked if it was in the policy document (it's not.) The HR director responded that it was ok, AND that the Comptroller knew the passwords to all of the computers in the finance office (a separate office.) She also mentioned that the VP wanted orders entered this week and wanted to know what it would take. I explained that anything negative that happened would have to be her responsibility.

In the end, the VP of Sales and Marketing sent me a note, basically ordering me to create a new password and reset it when the vacationing employee returns.

I would have jumped out a window, but being on the first floor I figured I would just really hurt myself.

Security policy? Yeah right. A post for another day.

A Monday Incident

It has to happen on a Monday.

And what a Monday it was.

I woke up and it was pouring out. And I mean pouring. It was raining so hard visibility had dropped to a hundred yards, at best. Driving to work, I passed three separate accidents; cars that had spun off the roads. At least they were getting assistance. This was definitely a day to stay home. The road that the plant is on was flooded, with a couple of inches of water. How fitting.

I get in a good half hour before the network administrator gets in which gives me plenty of time to put out the minor brush fires. It was about 20 minutes after he got in that he called me to his office and showed me an email he had received from our ISP. They (the ISP) were getting ready to dump our internet access (a T1) because of complaints due to alleged abuse coming from our public IP. We had about a day to figure it out.

Off to the firewall we went to see what was up. There did not appear to be anything fishy, at least from the firewall. Remember, the network admin is great at "admining" but security is an afterthought for him. I can only "suggest" policy and procedures. At about this time, the director of HR walks into the office. She proclaims that her laptop has crawled to a stop and she is unable to get any work done. We allay her fears and get back to work. I ask the network admin to check the logs for her IP. Lo and behold, we've found our problem. Connections. To and from her laptop. Hundreds of them. Thousands of them. Mail from her machine bypassing the DMZ and the mail server. P2P connections. And a whole bunch of things I didn't have time to ID. Whoa.

A little research turned up that the malicious code was a variant of the Storm Worm; I think Trend finally ID'd it as nuwar.IJ. I explain calmly to the HR director that we think we found the reason for her laptop being slow and I would need to take her laptop off the network, and remove it to the data center in order to check it out. So, we grab the laptop. The worm went undetected because it killed the AV programs first. Yea for Helix.....Rootkitrevealer proved what we thought. And we used Trend's RootkitBuster to clean the machine. Now, thinking of security, I suggested wiping and reloading. However, the network admin figured we had cleaned the machine sufficiently and we would give the machine back after a full virus scan.

When I gave the machine back I asked if there was anything she might have done to have contracted a virus or worm. She thought it might have occurred when she went to update a printer driver (why she had to update a printer driver is still a mystery.) After more pressing, she finally admitted to opening an email with a subject of "you have received a bluemountain greeting from a co-worker." She said she clicked the link too.

I'm still trying to tighten the firewall logs....p2p connections should not be coming in or going out of here. Period. That should have been our first red flag. I'm sure there's more to do; but I think the network admin is just glad our network access is not getting yanked.

Wednesday, July 18, 2007

Hello World!

All programmers, when learning a new language, usually start with a "Hello World" program. It's a good way to actually use the new code to do something useful with the code while learning. So, I'm using this post as a "Hello World" program to introduce my blog. There are many who have come before me, and I've learned a ton from those people. Hopefully, as I immerse myself into the field, I'll be able to aid those who are starting after me; or I hope to give back to the community in some small way.

I started out with computers in grammar school, on a TRS-80. In college, I majored in business; though the concentration was in Management [of] Information Systems. I would have received a minor in Comp. Sci., though I got mono in my senior year of college, and had to withdraw from a class. However, it was in college that I took a class where I read The Cuckoo's Egg by Cliff Stoll. I knew at that time that I wanted to "catch bad guys using computers." After graduating college, I started programming for a large brokerage house; where I programmed mainframe computers. I mostly worked with much older co-workers, and was the resident "pc-guy." When the company moved offices they moved from dumb terminals to desktop pcs. At this time, outside of work, I actually attempted to start an ISP. I've looked for my old Slackware cds, I can't find them, but I know they had a low version number. Ultimately, I was unsuccessful starting the business. And it was a probably a pretty good thing. The market exploded for internet access and margins became razor thin. But it was great experience.

Since then, I've mostly worked for large companies as a developer. It wasn't until I got laid off that I returned to thinking about getting back into the security business. I was looking for jobs and I saw a job posting with the FBI in their Forensics unit. It was close to home, it was security related, and I would be able to "catch bad guys" and use computers. I looked into what it would take, and I realized I was not qualified. Even with some security qualifications. So, I didn't apply.

Now, I'm thinking of leaving the company I work for. I've just recently earned my A+, and I'm working on Security+. After that, I'm thinking of going after my SANS GCFA, then after that CCE.

So, in a nutshell, that's where I'm coming from, and where I hope to go. I'm always looking for insight, comments, and thoughts from the people who have been there before me.

"Hey, gunner man, that's quicksand, that's quicksand that ain't mud
Have you thrown your senses to the war or did you lose them in the flood?"

Here's to hoping I don't get lost.