> All,
> I have a customer whose company does legal work for lots of
> businesses.
Legal work meaning what? Is the client an attorney or law firm, where
there are clear laws, regulations and codes of ethics regarding
confidentiality?
> The data housed on their network is what I would call 'financially
> sensitive'.
What do you mean by "financially sensitive?" Do you mean the client's
accounting records are stored on the server? Or, more sensitive, are
bank account access data or employee payroll/tax id data stored on the
server? Or, most sensitive, confidential customer data?
Does the client share your view about the sensitivity of this
information? Did you discuss the matter to understand their view of the
situation? Have you performed a business impact analysis to determine
the risk?
> Recently, I found their Exchange server had been
> turned into an open relay. It was not that way a month ago.
So you are saying that one month ago you documented the Exchange 5.5
server configuration and that it was properly configured to deny relay.
Subsequent to documenting the configuration, someone changed the
settings to allow anonymous relay (Exchange 5.5's default
configuration). If this is indeed the case, then it indicates that
someone has gained unauthorized, privileged access to the server. This
might have been done by someone with permissions to make the changes, or
it might have been done by an intruder. If nobody is willing to admit
to making the changes, then you are right to assume the worse.
Assuming the worse, changing the administrator account's password is,
unfortunately, an ineffective response. Any intruder worth his salt
would have installed at least two backdoor methods to regain access to
the system. Ideally, the server should be rebuilt from bare iron on
freshly-formatted disks, hardened before allowed to connect to a
network, then the data restored. The data in the Exchange stores will
be problematic. Depending on the size of the organization you might
decide to manually move all the Exchange information stores content to
.PST file, or use exmerge.exe from Microsoft. Considerable "touching
up" will be required.
If you (or the client) decides against a complete rebuild (dangerous, in
my view, if you know an intruder's been actively manipulating the
system), then you need to audit every single user, computer and service
account; change every password; run multiple anti-virus, anti-Trojan and
anti-spyware packages; and attempt to validate every executable file on
the system. You should also, at least short-term, install an IDS to
identify how the intruder broke into the system in the first place, and
make sure that vulnerability is fixed. Even then, I would always have a
nagging concern that something was missed.
> Once I stopped the
> bleeding, I told them I wanted to change the Administrator password,
> (NT4.0, Exch5.5. I know, I know). They told me they were
> not allowed to change the password. "Sez WHO", I asked. "Our
software
> vendor", they
> replied. Turns out the vendor in question has a niche market in this
> kind of legal field. Also turns out they use the same 4-letter, (no
> caps, no special chars), administrator password on ALL their
> customers networks.
Obviously, the software vendor is not providing overall support for the
client, otherwise they would not be paying for your expertise. In my
experience, any software vendor with a rule that the end user client
cannot change the administrator password is more than willing to
accommodate when challenged on the issue. Particularly if you consider
(and tell them you're considering) the probability that one of their
employees, customers, or ex-employees/customers are likely to be
responsible for the intrusion, and their negligence is considering
security is a significantly contributing factor.
> To make matters worse, they have PCAnyWhere ports
> open on all these networks, because their software is so buggy, the
> developers need to remote in and fix things all the time.
> The spokesman for the group
> claims that the AT&T managed firewall prevents anyone else
> from using the PCNoWhere ports by IP address.
Properly configured, pcAnywhere can be nearly as secure as VPN access.
pcAnywhere can be setup to require two-level user authentication and
public key encryption of all traffic. The pcAnywhere ports can be
easily configured for non-standard values, and measures to protect
against password cracking and abandoned/broken sessions are available.
If securely configured and used in combination with a firewall that
restricts access to predetermined, trusted external IP addresses, then
pcAnywhere poses very little security risk.
> I'm not a great negotiator, and I'm going to face the SW
> spokesman next
> week. He is a good spin doctor. I'm looking for help in making him
> secure his stuff. All help is appreciated.
Look at it this way: If your mutual client gets hacked and confidential
information is misused due to the software vendor's negligence in
adequately securing their information:
1.) The client may be sued, and the software vendor may be named
as a co-defendant by all damaged third parties.
2.) The client will likely sue the vendor directly, regardless of
prior contracts and disclaimers.
3.) The negative publicity regarding the vendor's gross negligence
will, at best, force them to change their policies reactively,
and at worst will diminish their reputation and cost them
business.
4.) The cost to resolve the problem reactively, during a crisis
situation, will be more expensive and difficult than a planned,
proactive approach to implement proper security.
5.) At minimum, the vendor will lose one loyal customer.
Between you and me, I would leave out the stuff about their software
being full of holes and other deprecating remarks. The fact is that all
software is buggy, and it wasn't their software that was exploited
(though their lax security was contributory. Vertical-market stuff that
must be customized per-customer according to their business needs
frequently needs lots of support from the developer, since every client
has their own idea of how reports should look and data should be
categorized. The ability to quickly accommodate your client's unique
requirements is probably what attracted them to the vendor in the first
place.
Finally, consider the fact that the client has probably invested a
considerable amount of money in their software, customization, ongoing
support and, most important, data entry. If you put yourself in an
adversarial position versus the software vendor, you will likely find
yourself out of a gig.
---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Ensure Reliable Performance of Mission Critical Applications
- Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at:
http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 19 2003 - 21:09:05 PDT