Jan 04 2008

Warning: Agencies Must Wipe Former Employees’ Devices

Secure your network against remote access by former employees.

Your contractor or employee has turned in his or her badge and handed over the department-supplied notebook computer, and all the accounts have been disabled. But are you sure they are really gone? Despite your best efforts, advances in the technologies that go into portable computing devices are making it substantially more difficult to ensure the confidentiality, integrity and availability of your network.

Handheld devices play an important role for many organizations. Much smaller than a notebook but almost as powerful, they now support similar applications, and some can even run desktop and server-class operating systems. To facilitate our ever-connected life and work styles, many devices offer on-board Wi-Fi and third-generation services, and these capabilities can easily be added to older, cheaper devices as well. It is this inherent ability to communicate that makes these systems so dangerous. You need to think about this when employees leave — especially because the biggest threats to network security are internal.

Devices such as the CradelPoint PHS300 Personal Hotspot are coming close to bundling all this potential insecurity into a convenient, easy-to-use package, but it’s not difficult to use an inexpensive, older personal digital assistant (such as the Compaq iPaq H3600) to accomplish the same task. For less than $300, anyone can obtain the necessary components to build a device that sports 64 megabytes of RAM and multiple gigabytes of storage; wired, wireless and 3G connectivity; and Linux. With such a platform as a base, it would be simple for an employee to load tools that facilitate encrypted remote access, wireless- and wired-network monitoring and  recording, or just a simple network scanner.

It’s Not Mission Impossible

Because these devices are small and have decent battery life, they can be hidden almost anywhere: a conference room, wiring closet, data center, lab space or even an executive office. They can be easily concealed in the ceiling, under the floor or inside a desk. With 3G Internet capabilities, gaining access to such a device is easy. Unconventional access is also available — and potentially more dangerous, because it can work even in a radio-frequency-shielded facility — but it can be a bit difficult to visualize.

This type of access requires outbound access through the use of a single Transmission Control Protocol port. Many organizations permit Internet Web access or the use of outbound TCP Port 80. This port — even if it is proxied — can be used to support an encrypted tunnel from a hidden PDA. The device can generate this tunnel or back door and configure it to terminate at a remote location, such as someone’s home. The tunnel could allow off-site, continuous, encrypted reconnaissance of your network.

When combined, these elements significantly increase the possibility of your organization falling prey to unwanted computing equipment that supports unauthorized remote access:

• Ease of installation of small, hidden computing devices

• Ability to create tunnels or backdoors that allow remote access

• Lackadaisical physical security

It’s Not Hide and Seek

Such a setup, if well-hidden, would be difficult but not impossible to find. Tunnel activity, such as log-on and file transfers, would mix in with Web traffic, and properly planned network scanning might look like background noise. Batch files or script programs could be written to support and maintain the tunnel, making the device almost totally self-sufficient. A savvy user could also write scripts that would automatically remove the tunnel and any associated files if someone detected or tampered with the device.

You can combat the threat using visual inspection, network access control, network device inventory, network discovery scanning, packet-shaping or protocol inspection and connection-state table monitoring (typically done on outbound routers or firewalls) — all tools that will help locate such devices. Once found and properly dissected, the offsite termination point of the tunnel could lead to identifying the responsible individual.

It’s the Basics

Many organizations support the use of Dynamic Host Configuration Protocol, making installation of a configured device as easy as plugging it in. Although the device could be placed anywhere, some locations might support sensitive information and so demand tighter controls. The best form for these controls might be different processes rather than technology. For example, network access to a data center should not be as easy as badging in and plugging in a device. Equipment installations in a data center should require filling out requests for power, rack space and network services — including network jack activation. Equipment removals should require requests for termination of power, physical device and network connections, with emphasis on deactivation of network jacks.

Controls in less-sensitive areas might not need to be as strict, but depending on the sensitivity of the systems and data, might still be needed. Additionally, physical security policies should also help defend against the placement of unwanted devices. 

One of the best defenses available comes from making sure that employees know to report any unusual connection or wiring that they spot. Physical security policies may exist, but employees can become complacent. Periodic policy reviews are invaluable.

Although detecting a back door or tunnel is mainly a technical issue, reinforcing physical security controls, ensuring the effective use of process controls and heightening employee security awareness are critical to helping your organization avoid the threat of the employee who refuses to “leave.”