NetSec Letter #10, 14 July 2001

When Access Control Goes Bad

Fred Avolio, Avolio Consulting, Inc., http://www.avolio.com/

In conversations, columns, or classes on the subject of network security, I find myself repeating the familiar statement: the threat from insiders is greater than the threat from outsiders. The United States FBI and Computer Security Institute (http://www.gocsi.com/) yearly survey always reinforces this. Yet some remain skeptical. “Where’s the documentation? Where’s the proof?” they ask. Then we find something like the May 3, 2001 Associated Press story, “FBI: Scientists Stole Lucent Trade Secrets for Chinese,” and we’re glad it is not our company.

Employees of Lucent, “… pirated Lucent’s PathStar technology,” said U.S. attorney Robert Cleary. “In short, [they] came to Lucent as scholars, but in reality, they were nothing more than sleuths.” They were nothing more than industrial spies and thieves. Though it is too soon to know the particulars about what went wrong in that case, it is useful to discuss the general problem, with a view of what can go wrong and why, what we might do.

While we have a fairly good handle on security from Internet-side attacks, inside, it gets sticker. We can break down the problems into three areas. First, while we may have fairly good eternal controls, our internal data access controls are usually poor to non-existent. Too often we rely on physical access control only. Second, and again, while our external network gateways and systems (web servers, mail gateways, and firewalls, for example) are usually closely watched, inside machines often are not. Finally, we may run intrusion detection on our service networks (DMZs), looking for suspicious activities, but may not be as thorough on the inside.

Internal controls

Inside, we often treat everyone the same. We treat everyone as trusted. If someone has a badge (and to be sure, these guys needed badges to get into and around Lucent), they are in. This problem is one of granularity in access control. With insufficient granularity, access control is broken down into perhaps 3 areas: outsiders (they don’t get access), insiders (they get access to user accessible files), and special users, such as system administrators.

With more granular access control, after we categorize the data and systems on our network, we can assign the proper access based on job responsibility and the “need to know.” Rather than an “all or nothing” access scheme, individuals are granted access to only what they need to access. Sure, administration of such a system could be complicated. All that does, however, is give you one more selection point when buying a product.

Logs and Warnings

Of course, having very tight and very granular access controls does not mean all your troubles are over. It may be that in the Lucent case, the gentlemen in question accessed information they are allowed to access. Tighter controls would not have made a difference. But decent logging might have helped. Did these guys access sensitive data all in one afternoon? They probably did not. Often, in situations like this, the unauthorized accesses occur over a long period of time. From a corporate spy’s viewpoint, this is one of the beauties of insider, network-based data stealing: you can sit at your desk, with your door closed, and explore and access whatever you need to at your leisure. You don’t look physically out of place, because you are not. You are right where you always sit and where you are allowed to sit. You are just wandering all over the corporation cyberspace.

With a good access control system in place, however, you are leaving a data trial. With such a system in place, as someone reviewed the access violations or access warnings in a daily report and on a regular basis, unauthorized activity may surface early on. In the case of Lucent, the activity could have been discovered before the supposed bad guys delivered, as alleged, “all or part of the voice-transmission source codes to the Chinese,” and before they received any of the promised $1.2 million.

In addition, with a little extra work, they might have had some early warning. If an intrusion detection system was added to the inside controls, any suspicious behavior or security warnings might have triggered an e-mail or a pager message the first or second time one of these guys bumped up against the access control system. A network-based intrusion detection system could be configured to look for anomalous behavior. Host-based intrusion detection could look for suspicious or unauthorized access activity.

The answer

There is nothing much new in what I suggest here. There’s no new device, or technology. What’s new is our application and consistency. We have to be as careful on the inside as we are on the outside. We have to take existing tools, existing smarts, and apply them to threats that experts keep telling us is more urgent than that of those from the outside: the insider threat.

Promotions, Self and Otherwise:

A column I wrote for WatchGuard on the need for an incident response plan is now at http://www.avolio.com/columns/intruderalert.html.

As I mentioned last month, I gave a tutorial on public key cryptography for SearchSecurity.com ( http://searchsecurity.techtarget.com/onlineEvents/). My latest column for them is a follow-up on some of the questions I did not have time to answer. I’ve republished it at http://www.avolio.com/columns/pkiq+a.html.

As a reminder, in addition to writing and consulting, I also teach. I teach for conferences and for the Computer Security Institute (http://www.avolio.com/calendar.html). Descriptions of my packaged courses are at http://www.avolio.com/CourseDescr.html. I also teach custom courses. For example, I recently taught a team of sales people and sales engineers for a VPN extranet provider.

On March 8, 2001, I published a column discussing the need for defending e-mail servers ( http://www.avolio.com/columns/e-mailServerSecurity.html). I recently met a consultant named Chuck Connell (CHC-3 Consulting — http://www.chc-3.com). He runs a Domino Server Security site called http://dominosecurity.org/.

##