|
1-Establish current condition of
infrastructure and data security.
2-Make recommendations based on findings. |
||
|
The tests were performed at Domain01 Chicago IL from Nov 25 through Dec 11 2003. Follow-up
work and analysis of findings was performed offsite. Verification and additional data was found via Terminal Services network connection from office in Mount Prospect. |
||
|
Day1/2 -Test setup included an NMA ( Network
Management Appliance) and a VLAN
switch ( for subdividing the LAN and WAN) into goups. I setup a portable
(to access the NMA) outside Domain01 workgroups and behind the firewall . This system was
running Windows 2000 Pro and had F Secure Moblie Enterprise Client 5.50
running. A mirrored connection was made to monitor all traffic going in and
out of router behind firewall using etrust 2.05 data was collected for 24
hours.
Ran bandwidth tests . During the test period of 10 mins (per client) from 2-3PM the bandwidth available was .9(Mbps) out of a maximum of 1.54(Mbps). Measured between firewall and ISP . The average user maintained 65 (Mbps) throughput between hlserver2 and there network interface card. This is well within accepted guidelines. One system "192.168.1.14" appears to have a bad network interface or cable connection. The IDS (Intrusion Detection System) was also run at the same time logging ALL protocol activity through the Firewall. The total amount of activity logged was 24 hours encompassing 1.3gb of data. Because of the large number of viruses that were found no reports were printed and all IDS logged activity was stored in its entirety on CD for future reference if needed. Port scanning was performed from the inside and outside of the Domain01 infrastructure at various intervals during the 2 day collection period. Virus Scanning was performed on random systems after the complete network was powered down. Systems were brought back online one by one and a (house AV product) scan was run. If the systems failed the AV tests they were marked for complete re-install. As systems were brought back on line It was apparent that the problems were much deeper than a few viruses causing problems randomly (network operation became very unstable and untraceable to one source). A more in depth plan was needed. |
|
Based on the port scans , virus scanning and
IDS logs it appears that Domain01 was infiltrated by hackers that took
control of one of the two routers.
This can be verified since the old router can no longer be accessed
by any means without a unknown password. After taking control of the router
they installed a robot / file
transfer program on the server SERVER02 ( see port scanning link ). They
also setup directories on the systems "USER01" and
"USER08" were virus
source code and programming tools were stored ( as well as possible others
). These systems had remote control
and access software installed on them
( as can be seen from the various virus
reports that are attached ) which allowed control of these systems
by the hackers.This caused a continual decrease in network performance and
prompted the addition of the faster
DSL connection. This router was delivered with default password
installed login "admin"
password "admin" and may have also been used for short period of
time.
It is unknown as to whether all of the viruses that were found came in after this attack, many of them may have been lying dormant on the systems. |
|
Dec 02 through Dec 11 2003
1-The approach that was taken involved moving all systems to one switch connected to the old infiltrated router . The new router was secured and connected to a second switch with the scanned and cleaned server only on it forming the "clean" network. This formed two networks one infected with access to internet only via the old router (which was infiltrated) and the other not infected with internet and server access. 2- I was able to save the server install by removing the house AV product and installing FSecure. I then performed several virus scans to verify integrity of the system ,which appeared to be fine. The decision was made to move it to the "clean" switch so that corrected users could use both the server and internet resources. We also allowed infected / non scanned clients internet access via the old router. 3-All systems were taken offline one at a time and thoroughly scanned using FSecure from the DOS level followed by the windows version . It appears that the house AV product did not remove the virus (even though it found occurrences of the same) since symptoms still exist. See virus reports for details. Once the systems passed several complete and virus free scans they were added to the "clean" network. 4-After scanning passwords were added to each systems local account and there network logon profiles were removed. (were necessary) a-Password could be as simple as "ABClogoname12" or "logonameA123" They can not be the same as the logon name viruses can guess this to easily. 5-Systems that could not be scanned and/or recovered were formatted and a new operating system was installed. These systems were then configured and scanned before being attached to the network. Intrusion Detection and port scanning was applied at the beginning , during and at the end of the corrective process. |
|
Dec 12 through Dec 31 2003 - Open Items
1-The FSecure product should be purchased from F-Secure USA. They can be reached at F-Secure (408) 938-6700 contact : Lisa (sales) . Since there were three different anti virus products installed across the network systems and none of them removed the problems (even if they found it ) FSecure should be the recommended house AV product. (since it found and removed problems the others did not) 2-The remaining systems still need to be tested before they can be added to network or used for transferring files via removable media. A - Systems in shipping department B - 192.168.1.14 (old windows 95 system) C - Portable used by outside sales 3-Passwords aligning with excepted conventions should be added to all systems that do not have them. 4-You need to verify what services your current email provider provides with respect to virus scanning and spam control. Virus related problems should NOT enter your network. If your mail provider does not provide this service I can find one for you. 5-All ADMINISTRATIVE logins must be pass worded aligning with excepted conventions 6-The router must be secured so that the telnet port is not visible from the outside. This will require using a secure connection via terminal service to make changes. 7-Users should be encouraged to keep files on the server when possible. This does not help them with files that are automatically dumped in the windows \My Documents folder. these should be copied to the E: drive on systems that have been rebuilt to proper conventions. Or copied by script to a Network Management Appliance. ( see 8 ) 8-A network management appliance should be installed on the network ASAP to help in the following (and keep you proactive instead of reactive) A - Disk to Disk backup of critical files on users systems as well as duplicate backup of the server data files. ( 360GB of storage ) B - Remote monitoring and management of network and resources C - Daily port scans D - Bandwidth testing E - Intrusion Detection logging as dictated by weekly port scans F - Network time service ( I noticed a range of almost an hour between Domain01 systems) G - The management appliance can be used as a backup server if the main unit needs to be taken offline for updates or repairs. H - Remote virus scanning The cost of this service would be 600.00 to 750.00 per month including hardware 9- The Server02 is issuing a fan failure error this may or may not be critical however it needs to be corrected since it causes the server to stop on reboot and wait for user input. A - An IDE drive needs to be added to the server to store a boot image. This will allow quick recovery of the server to a the last imaged state if a failures occurs. 10- Because of attacks like the one that just happened it would be wise to have an Electronic Media and Internet Usage policy in place to protect Domian01 in case employees or infiltrators use your network and resources for malicious activities. I can supply you with boiler plate for your attorney to attach to your employee handbook. 11- Systems that still indicate any open port irregularities need to be tested with a "Port to Process" enumerator. This will verify if these ports are suspect as still existing transfer points for Trojan code and hackers. Cost not included in monthly service charge. |
|
Dec 12 through Dec 31 2003
Once the onsite tasks were complete I moved on to remote management of the infrastructure. This was done by installing various management tools on SERVER02 and opening up port 3389 in the router to allow terminal services access to the network. The following software was installed in user account "manage": ( all of this software is licensed to alienconcepts inc. ) 1-Enterprise user and resource management 2-Port scanner 3-Network performance testing 4-Port to process monitoring 5-Trojan Detection System 6-Enterprise scheduler 7-File comparison 8-Mail notification 9-Intrusion Detection For the past 17 days I have been receiving and reviewing data on port scans, port to process spying and virus scanning info. THIS SERVICE WILL STOP ON JAN 11 2004 . There are 3 options I can offer you after that time: 1-Install the NMA ( network management appliance ) for $ 600 a month which includes all of the services plus Disk to Disk backup of your data daily. 2-Leave the software on the SERVER02 and continue with remote management for $ 500 a month. (this is acceptable however, it places an undo load on a company data resource) 3-Remove everything and let your staff worry about it. |
|
The following on going procedures should be followed to
prevent future problems:
1-No systems or resources should be added to network without first being scanned for any possible virus infection with chosen AV product. ( this includes systems moved between office and home or network resources that do not have EMBEDDED operating systems such as printing or shipping resources) 2-Loggin in to the network from offsite must be secured. A -If you need to log into a system via a modem the remote client must be secured using a callback or access list. B -If you need to log into a system via the internet. You will need a fixed IP that will be recorded into the access list on host system. You will also need to have port mapping added in router for this service. C -An alternative to the above is setting up a VPN for each remote client / host relationship 3-Inbound Modems and other remote dial-up devices need to be logged in the admin\system\network.xls document on server. 4-All email needs to be scanned indefinitely. A - This is the most probable way of eliminating getting infected again. 5-Turn off the preview pane in Outlook Express and Outlook. A - This way you can see all your mail without having any item open automatically (with a potential problem of releasing a virus). 6-User accounts should be kept in a default security mode. This may be inconvenient when you need to install software or device drivers however, it ensures that only the administrator can access these functions. 7-Users should be asked not to download and install non work related programs from the internet. (this includes screen savers which are one of the main causes of viruses) 8-Log off procedures need to be implemented and followed as noted: A - Windows 2000/XP system users need to press "Ctrl Alt Del" and lock there system when leaving there workstations for short periods of time. B - Windows 2000/XP users should press "Crtl Alt Del" and LogOff at days end. C - Windows 95/98 systems are not secure no matter what log off procedure you use. They must be shut off when not in use. 9-Do not use any Instant Messenger service. They have many security holes. (For safety do not use any instant messenger service) 10-Do not add Wireless access points to your network. 11-Do not accept files via email or media WITHOUT first scanning for viruses 12-Users should be discouraged from using internet services such as "Radio or multimedia services" since they have excessive bandwidth requirements. |
