The first manner of unintentional infection is fairly easy to understand. The contractor was working on the project using his system. His system was infected. In working on the project, it was necessary for him to share files with employees who were on the network. He did this by using a shared network resource to place those files. The contractor would transfer the files to the shared location, where the employees could then access them for review, modification, and so on. The files that were transferred happened to be infected. When the employees opened the files, they became infected. It’s really that simple, as shown in Figure 4-5.
This method of infection clearly requires human interaction. The contractor transfers the files and the employee opens them. So, can this type of infection really happen? People talk about it, but is there an actual example of how this
Contractor System
Employee System
1. Contractor with infected system creates a document and transfers it to a shared resource.
3. The infected document is opened by an employee and their system becomes infected.
2. The infected document is stored on the shared
resource.
Shared Corporate Resource
Real-World Example of an Unintentional Threat 87 can occur? Yes, there is! Following is information on an actual Microsoft Word vulnerability that could adversely affect systems as defined in this scenario:
National Cyber-Alert System
Vulnerability Summary CVE-2007-0209 Original release date: 2/13/2007 Last revised: 5/16/2007
Source: US-CERT/NIST Overview
Microsoft Word in Office 2000 SP3, XP SP3, Office 2003 SP2, Works Suite 2004 to 2006, and Office 2004 for Mac allows user-assisted remote attack- ers to execute arbitrary code via a Word file with a malformed draw- ing object, which leads to memory corruption.
Impact
CVSS Severity (version 2.0):
CVSS v2 Base score: 9.3 (High) (AV:N/AC:M/Au:N/C:C/I:C/A:C) (legend) Impact Subscore: 10.0
Exploitability Subscore: 8.6
Access Vector: Network exploitable, Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Provides administrator access, Allows complete confidential- ity, integrity, and availability violation, Allows unauthorized disclo- sure of information, Allows disruption of service
References to Advisories, Solutions, and Tools External Source: SECTRACK (disclaimer) Name: 1017639
Hyperlink: http://www.securitytracker.com/id?1017639 External Source: BID (disclaimer)
Name: 22482
Hyperlink: http://www.securityfocus.com/bid/22482 External Source: MS (disclaimer)
88 Chapter 4 ■ Understanding the Need for LAN-Based NAC/NAP
Name: MS07-014
Hyperlink: http://www.microsoft.com/technet/security/Bulletin/MS07-014.mspx
External Source: FRSIRT (disclaimer) Name: ADV-2007-0583
Hyperlink: http://www.frsirt.com/english/advisories/2007/0583 Vulnerable software and versions
Configuration 1
- Microsoft, Word, 2000 - Microsoft, Word, 2002 - Microsoft, Word, 2003 - Microsoft, Word, 2003 Viewer - Microsoft, Works Suite, 2004 - Microsoft, Works Suite, 2005 - Microsoft, Works Suite, 2006 - Microsoft, Office, 2000 SP3 - Microsoft, Office, 2003 SP2 - Microsoft, Office, XP SP3 - Microsoft, Office, 2004, Mac
As you can see from this example, the threat is very real. The Impact Type section of this report lists exactly what can happen to systems from this threat.Provides administrator access, Allows complete confiden- tiality, integrity, and availability violation, Allows unauthorized disclosure of information, and Allows disruption of service are all extremely dangerous risks to the enterprise from this actual exploit.
This information was gathered by visiting The Common Vulnerabilities and Exposures (CVE) web site http://cve.mitre.org and conducting a simple search. This site is funded by the Department of Homeland Security and provides additional information that can be very useful. CVE provides a list of standardized names for vulnerabilities and other information on security exposures to help standardize the names for all publicly known vulnerabilities and security exposures.
In addition to these well-known industry standard sites and services, there are a ton of high-quality sites that contain great information. US-CERT, SANS, and CVE are simply being mentioned because they are respected, noncontro- versial, and commonly used by security professionals. It is certainly a good idea for security professionals to be aware of the latest risks, and using these resources is a great means to do so.
Real-World Example of an Unintentional Threat 89
How Files Really Get Transferred
The aforementioned scenario is realistic and happens every day. The thing about it is that it’s not the only way people transfer data between different companies. While there are lots of ways to do this, the following are most common:
E-mail USB drives
Many companies I talk to actively scan their e-mail for malware. When I was a director of IT, I had every e-mail and attachment sent in and out of my organization scanned. This caught a ton of malware and actually resulted from us being infected by theILOVEYOUvirus.
The second method is the tricky one: USB drives. If I have a file on my laptop and I’m in a meeting where someone needs that file, a USB drive is an invaluable tool.
While the USB drive is an invaluable tool, it is a considerable security risk. The data on the USB could very well contain malware. If that data is copied over to a corporate laptop, it could infect that laptop and spread throughout the LAN. In doing so, it could bypass any LAN-based NAC, as well as other LAN-based security solutions. Figure 4-6 shows a representation of how this is done.
Internet 2. Guest device is completely restricted from the
corportate LAN. Corporate Network Authorized Corporate Asset Guest Device 3. Corporate employee completely bypasses this protection by connecting an
infected USB drive to his corporate system. 1. Corporate asset is protected by being on a separate network, a LAN-based NAC solution and all other security
solutions on the LAN. It has all reasonable steps in place to protect it from malware.
90 Chapter 4 ■ Understanding the Need for LAN-Based NAC/NAP
This is a quick-and-easy means to bypass a bunch of security solutions that cost a lot of money. It’s also a key way that penetration testers and hackers gain access to the corporate LAN.
TALES FROM THE FIELD
I’ve heard this story many times in the past, and I’ve always thought it was a good one. Recently, I spoke with a very well-known penetration tester and security expert who stated that he recently used this method to gain access to a corporate network during a penetration test. To me, this story went from being a good anecdote to a factual account of how a corporate network was actually infiltrated.
As mentioned, companies spend millions of dollars protecting their LAN against outside attacks. That is why companies have firewalls, IDS/IPS
equipment, anti-spam software, and so on. So, what is the easiest way to break though all of this equipment? Don’t try to break through it — go around it!
People just love USB drives. I use mine all the time. Whether it’s as a useful tool to copy files, to always have my security on hand, or to back up important work (such as this book), for example, these tools are invaluable. They are also intriguing. If someone is walking through an airport or a parking lot and they see a USB hard drive lying on the ground, they can’t help but wonder what is on it. Is it confidential information, trade secrets, someone’s diary, pictures of Anna Kournikova? Inevitably, curiosity gets the better of some people, and they pick it up to see what’s on it. (They also might just think, ‘‘Hey, I found a free USB drive; I can use this.’’) Either way, they take the USB drive and plug it into their computer. That step alone is what leads to the infection.
What the penetration tester did is take a bunch of USB drives and scatter them throughout the parking lot of the company for which he was performing the penetration test. Before long, an employee picked up one of the drives and inserted it into his workstation. Upon doing so, the system became infected so severely that it compromised the corporate LAN. There are basically two ways this can be done:
◆ The USB drive can contain purposely infected files. When the user opens
one of the files, it could load a piece of malware that compromises the sys- tem and, subsequently, the network.
◆ Upon inserting the USB drive, malicious programs can be automatically
executed.
The malicious programs automatically get executed by taking advantage of the Autorun feature. Many people are familiar with the Autorun feature as it pertains to CD-ROMs. A user would place a CD-ROM into the drive on their computer, and an installation menu or options is automatically displayed. This happens because the operating system reads an Autorun file on the CD-ROM
Real-World Example of an Unintentional Threat 91
TALES FROM THE FIELD (continued)
and uses that information to launch the appropriate application on the CD-ROM, which could be an application that starts an installation.
USB drives can function in exactly the same way. Instead of the Autorun file being on the CD-ROM drive, it would be on the USB drive. When the USB drive is connected to the computer, the Autorun file is run, and whatever programs are entered into the Autorun file are executed. The following is an example of
the contents of anAutorun.inffile:
[autorun]
OPEN=keylogger.exe
In the case of the penetration tester, the files that were executed by the USB drive’s Autorun file were malicious. They could install a keylogger, a backdoor to the system, and so on. Essentially, by inserting that USB drive, the
penetration tester or hacker could capture the network username and
password that were entered by the corporate user who inserted the USB drive. They could also remotely control that device and use it as a platform to attack other systems on the corporate network. All this could be done while the penetration tester or hacker was anywhere in the world.
This is a great example of how social engineering can bypass even the best security infrastructure. That includes bypassing technologies such as NAC. You’ll see in Chapter 5 how elements of that type of NAC can be useful in preventing exactly this type of threat. (You can also hold down the Shift key to stop Autorun functionality from taking place when a CD-ROM or USB drive is inserted, as well as make configuration changes to stop it from happening.)