Article posted: Oct 01, 2015
By Paul Foley, Professional Services Director and Co-Founder
Internal IT attacks - now recognized as one of the most prominent threats to corporate data - occur when an individual or group within an organization seeks to disrupt operations or exploit operational assets. And in many companies, it's shockingly simple to do. There are many high-profile cases, perhaps most prominently the Edward Snowden Case, where personal login credentials were stolen from his NSA coworkers so he could access classified information. The Snowden case and others like it demonstrate the need for this vulnerability to be addressed.
In today's enterprises, the most common way for employees to authenticate and access the corporate network is by using a user name and password. In a Microsoft Windows environment, a user logs onto the system at the login screen, entering his or her user name and password as the authentication credential. While this method works well enough, from a security perspective it is rather weak. An employee with mal intent simply needs to have knowledge of the user's password to begin impersonating that user.
Here's a fairly typical scenario:
- In a busy company, three employees "hot desk" at work, sharing a workstation for a company that's open 24x7.
- Employee 1 is Mallory. For various reasons, she is disgruntled and wants to inflict some damage on her employer.
- It's rather easy for Mallory to steal the password of her workstation mates' passwords using the well-known and freely available Windows Password Recovery tool - if the coworkers are using password-only authentication.
- In this scenario, co-worker 2 is Bob. He uses password authentication.
- Bob's and Mallory's co-worker 3, Alice, however, uses two-factor authentication in the form of a smart card for login.
- When Alice arrives for her shift, she logs onto the shared workstation using two-factor authentication using her smart card and her PIN. Once she's on the system, she goes about her normal day-to-day activities. If she leaves her desk to attend a meeting, step out for lunch or use the restroom, her card goes with her and she logs off the system.
- When Alice departs for the day, Bob arrives and logs onto the same shared workstation using his Windows domain credential. He authenticates using his domain credential and password. After logging on, he will go about his work. When he leaves for a meal, he logs off the computer.
- When Bob finishes his day, disgruntled Mallory arrives, logs onto the shared workstation using her domain credential and then uses the freely available Windows Recovery Tool in an attempt to find Bob's and Alice's network credentials. Mallory performs a dictionary attack on users who have logged onto the shared workstation in the past.
- In what is bad news for the company, the dictionary attack tool easily cracks the encrypted Windows domain password for Bob. Alice, in contrast, left no footprint with regard to her network credential as she performed her login using the smart card.
- Now, armed with Bob's login credential, malicious Mallory can easily logon to the network domain as Bob and begin her disruption all while disguising herself as Bob.
The good news is, it's easy enough to remove the threat of employees like Mallory. Best practices from Microsoft shows that implementing strong two-factor authentication in the form of smart card tokens should be deployed. In doing so, they will remove these far-to-easy-to-exploit vulnerabilities. We'll provide more details on this in our next blog.