Just as retail stores often find that more losses come from employee thefts than from outside shoplifters, some companies might be surprised to learn that they are at least just as much at risk from their internal users as from Internet hackers. Sometimes it's inadvertent; non-tech savvy users may inadvertently visit Web sites that run malicious code or innocently download programs they think will be useful on the job that contain spyware or click on email attachments that contain viruses or attach their laptops (that have, unbeknownst to them, picked up malicious software from unprotected home or hotel Internet connections) to the company network. They usually don't realize their actions violate policy or best security practices.
The rogue user, though, knows that he/she is violating network policies and often has some advanced technical knowledge. That doesn't mean the intent is to bring down the network or introduce an attack. Usually the rogue user just wants to defeat your security mechanisms because they inconvenience him - but doing so can have unintended consequences that can be devastating to your network.
What Rogue Users Do
Rogue users deliberately disregard the rules, which they think are silly or which they believe should apply only to "dumb" users who lack tech skills, not to them. The typical rogue user might:
- Plug a wireless access point into the Ethernet jack in his office without authorization from the IT department so he can take his laptop to the break room and surf the Web.
- Disable the anti-virus software on her company computer because it slows things down or doesn't play well with her favorite (personally downloaded) program.
- Use another employee's account and password (which he cracked technologically or discovered through social engineering techniques) to get access to files or programs he can't access with his own account.
- Use hacker tools to elevate her privileges so she can install software or perform other tasks not allowed with her assigned privileges.
- Install games or other "innocent" programs without authorization.
- Upload data or programs brought from home via floppy diskettes, CDs, or USB flash drives.
- Download company data to removable media and take it home to work on.
The rogue user him/herself is a personnel problem, but repairing the damage done by the rogue user is a technical problem. And perhaps the worst situation of all is when the rogue user is the boss. In that case, you'll almost certainly have to come up with technological solutions to protect the network, since disciplinary proceedings to control the user's actions are not an option.
Why rogue users are dangerous
What harm can a rogue user cause? Plenty! Placing a WAP on the company LAN behind the corporate firewall opens up the internal network to war drivers and other outsiders. Disabling AV software and other host-based security mechanisms can allow malware that you thought you were protected from to infiltrate the network. Using someone else's credentials makes it impossible to accurately track activities on a per-user basis and could result in the wrong person being blamed for policy violations. A user operating with elevated privileges can do all manner of damage and presents a vulnerability that a hacker can exploit. Unauthorized programs and documents can contain spyware, viruses and other malicious software. Taking company data offsite can result in theft of trade secrets or even put the company at risk of fines or criminal charges for violation of regulatory statutes such as HIPAA, GLB, etc.
Tracking down the rogue user
The first step is discovering what the rogue user is doing. That means monitoring. You can detect rogue WAPs using wireless network detection programs such as NetStumbler (http://www.netstumbler.com/). It's free, and there are versions available for both regular laptop operating systems and Pocket PCs (the latter is called MiniStumbler). You can also use a GPS card with it to create a map showing the physical location of the rogue WAPs. You can also buy standalone wireless network locator devices such as Kensington's WiFi Finder.
Vulnerability scanners such as GFI LANguard (http://www.gfi.com/lannetscan/) can detect whether the computers on your network are running specific services and applications (such as AV software or unauthorized programs), as well as determining whether the machines have up to date security patching and service packs. They can also detect security vulnerability caused by registry settings that a rogue user may have changed, and some VS software can also detect USB devices.
You can determine whether a rogue user is using someone else's password by implementing Windows' built in security auditing and monitoring logons for the user account(s) suspected of being compromised. You can also audit file and folder access to determine what the rogue user is accessing.
You can also use a packet sniffer or protocol analyzer to directly examine the contents of the packets that go to and from the suspected rogue user's machine. Examples of such software include Sniffer Pro (http://www.snifferpro.co.uk) and Ethereal (http://www.ethereal.com/).
Your firewall logs can tell you whether the rogue user is visiting dangerous Web sites and whether he is downloading software from the Web, via Peer to Peer (P2P) networks, exchanging files via IM, etc. You can even install a keystroke logger (software or a hardware device) on the suspected rogue user's computer to record everything that he types; this can be supplemented with screen capture software so you can also tell what he's doing via graphical interfaces. One program that does both is Activity Monitor 3.8 from SoftActivity (http://www.softactivity.com/). It will also report the software running on the computer. It's installed on your computer, which acts as the monitoring station, with agent software installed on the suspected rogue user's computer. You can even monitor multiple computers simultaneously.
Protecting against rogue users
It's always better to be proactive than reactive, and a few preventative measures may thwart your would-be rogue users. For example:
- Consider providing a wireless network that you control. Often, the reason employees plug in rogue WAPs is because that's the only way they can get the wireless connectivity they want at the jobsite. It's been said that the companies most vulnerable to wireless attacks are those that don't have wireless networks, for just this reason. You can set up the WAP in a DMZ so that those who connect to it have Internet access but can't touch the internal resources unless they have a VPN. You can also implement wireless security, such as WPA encryption and MAC filtering, turn off SSID broadcasting and change administrative defaults - things that the employee who plugs in a rogue WAP probably won't do.
- If an employee sets up a rogue WAP anyway, you can use IPsec on your LAN and create a group policy that requires it for connecting to your critical servers. At least the traffic will have some protection as it travels over the air.
- You can use software solutions such as Airwave (www.airwave.com) to automatically alert you if a new WAP is connected to the network and help you determine its location.
- You can prevent the use of floppy disks and flash drives to upload or download data by removing floppy drives from the computer, disabling the USB ports, or using a product like GFI's Portable Storage Control (PSC) to control access to floppy and USB drives on a per-user basis (http://www.gfi.com/lanpsc/).
- Run vulnerability scans on a regular basis to detect configurations and software that present security risks.
- Use multi-factor authentication (smart cards or tokens, or biometrics) to make it more difficult for a rogue user to use someone else's password.
Rogue users can put your network at risk, but you can use available tools to prevent them from doing things that threaten security and to detect their activities if they do.