Insider Threats

I am heading to Detroit next week and will be presenting on "Insider Threats." There's a lot of cool research out there about this topic:

What's funny, or sad, is that with all of that research I still haven't seen a lot of movement to mitigate this issue.  I once submitted a memo to my management regarding a vulnerability I exploited internally and was told to ignore it. The vulnerability gave anyone with physical access to a Windows Vista or Windows 7 PC SYSTEM-level access in about 60 seconds. In fact my immediate supervisor made some statement about "...Windows sucks" and " we trust our users." I will demonstrate this vulnerability, and the associated exploit, during my talk.
As I read though all of the talk on "Insider Threats" I see quite a focus on identifying the bad guy or girl. While I don't think that should ever be ignored, I feel there is an over emphasis here. Just prevent the data from being stolen or accidentally leaked. The truth is that we, yeah me included, have far too many privileges on our work computers and networks. We have all whined loud and long enough that people think we NEED twitter to perform our jobs. I have even been asked as a web-proxy admin to give someone access to Second Life at work. My supervisor replied with " {name removed} is a good kid, give him what he needs." After an hour of explaining what Second Life was, my boss didn't even know, he half-heartedly decided against it. Don't get me wrong, there is a place for trusting employees and it isn't easy to draw the line but always trusting all users to make the right decision {or never make a mistake} isn't how an infosec d00d should view the world. I think the best cure for that would be to let that person swap places with a helpdesk-type person for a day.
Anyway, here's the exploit running on Vista prior to any authentication:

Here it is on Windows 7:

I had already logged into this machine, but you get the idea. The way GIMP takes screenshots wasn't allowing me to take this shot the way I wanted so I got 0ld Sk00l, and took a pic. The reall problem these days isn't your OS though, it's the human element. You can almost equate it with social engineering but instead of trying to get your mark to provide you with access, credentials or what have you, You are trying to convince them to care about the dangers of losing data. For many years it was believed that gaining "root", "SYSTEM", or "Administrator" access was the key. This went away several years ago because data became the target. Unfortunately the defensive mindset hasn't yet shifted in some environments. I recently asked John Strand and Paul Asadorian a question during their "For the Last Time, The Internet is Evil" presentation. The question went like this:
" d00ds, what is the key to getting the organizations and personnel who review penetration testing results to understand the dangers and take action to implement the recommended changes?"
John replied:
"We have to create failure scenarios to show what happens if that one computer or one piece of data gets compromised."
Paul Chimed in with:
"It's will take a paradigm shift at the management level to understand these risks beyond the dollar signs."

I love both of those answers. I do understand information security can't be a bottomless pit that you throw money into, but experience has shown me that few organizations adequately fund initiatives in that realm. As I have stated previously, a lot of places out there are committed to maintaining the status quo. To them I say "Thanks for keeping my job as a pen tester fun and exciting." My next entry will be on the FAIL mode auditing and certification are stuck in. As always, this is not the fault of the auditor but at the funding and upper-management level.

No comments:

Post a Comment