When times get tough, things change for everyone, and sometimes employees don't like changes that management makes. This can be especially true if the employee is being "laid off." But what about laying off people with specific and valuable knowledge about your business? That's not an easy call, and it's certainly a risk.
While no one likes to hear that their job position has been eliminated or another person will be doing it, some people will take it very personally, and a small subset of those people will actually attempt to take some sort of revenge.
Sometimes the revenge manifests itself as feeling entitled to the work product they produced while at the company -- a customer list or program source code, for instance. Other times it can take the form of sabotage, such as destroying data or rendering critical computer systems inoperative. While ways to cause damage to a company or former employer are limited only by imagination, we'll keep the focus on things that are information-system related.
Recently I investigated a case where a laid-off employee intruded into the corporate network of his former employer from the public Internet and rendered critical computer systems inoperative, which caused serious damage. It wasn't the first time I've seen this, and it won't be the last. What I'd like to share is what you can do in advance that makes investigating such incidents a smaller and more effective effort. A little preparation will also make the effort much cheaper.
While preventing an incident is obviously the ideal, it's not always possible to defend against a motivated attacker with specific knowledge about the internal workings of a company. Also, what if the individual is a privileged user on the network, such as an administrator, or a help desk or tech support operator? This person could potentially have access to other users' account information and may actually be able to make new accounts for the purposes of covert or continued access from the Internet to the corporate network beyond the scope of employment.
By now, most companies have basic protective controls on their networks such as a firewall. If your company is a little more forward-thinking, perhaps you've also already deployed an application proxy. These controls are necessary and good at what they do, which is controlling the network border with the Internet, denying the known bad traffic, and allowing the known good, at least in theory.
Maybe your company also has an IDS (intrusion detection system), which will look for known signs of malware or abuse and send out an alert; or maybe you have an IPS (intrusion prevention system), which will attempt to block it. All of these things are good and necessary. But what happens when Biff from sales gets fired and logs back into the network via the VPN using Brad's (also from sales) password? He knows Brad's password because he sits next to him and saw the Post-It note/heard him on speakerphone with tech support/or simply guessed it (G1ant$rule!).
The problem here is a simple one: Every rule was followed during Biff's termination -- his accounts were deactivated and he was walked out of the building -- but he was still able to remotely log back in to the network, likely with similar privileges as he had in his former position. Despite the company following industry best practices, the firewall, proxy, IDS, VPN, and even the Windows Domain all see this as a legitimate log-in, though it isn't.
So what can you do? How about trace the IP address? Sure -- it's a library gateway for hundreds of branches around the city... Have fun storming the castle!
This sort of access can go on unnoticed for quite some time, depending on the password policy -- and even then if the attacker can install a key logger, it'll just email him the new credentials anyway. Remember, email is legitimate, allowed traffic!
Here are some thoughts on how to manage this sort of risk:
* Make sure you keep all of your VPN, Domain, and Critical server logs on a separate server. The audit function must be also be separate from IT so that compromised Adminstrator accounts cannot delete or manipulate log data.
* Make sure you can make reports on those logs. There are plenty of third-party products that make this easier; I'm sure some of you folks can chime in with your favorites.
* Record and report failed VPN or remote log-in attempts. Recognizing this clue to impending abuse originating from the Internet early on can really save your bacon.
* Single-factor authentication must die! I know I'm preaching to the choir, but two-factor authentication, while certainly not infallible, raises the bar for remote access abuse on a would-be attacker.
Wednesday, September 9, 2009
Friday, August 14, 2009
Microsoft Word Sales Banned In US In 60 Days
A Judge on Tuesday ordered Microsoft (NSDQ: MSFT) to stop selling its popular Word document creation application in the United States in 60 days, after finding that the software contains technology that violates a patent held by a third party.
Microsoft Office, which includes Word, accounted for more than $3 billion in worldwide sales in Microsoft's most recent fiscal year and is used by literally millions of businesses and consumers for everyday tasks like word processing and making spreadsheets and presentations.
Read the rest of this article at:
http://www.informationweek.com/news/software/enterpriseapps/showArticle.jhtml?articleID=219200383&cid=nl_IW_daily_html
Microsoft Office, which includes Word, accounted for more than $3 billion in worldwide sales in Microsoft's most recent fiscal year and is used by literally millions of businesses and consumers for everyday tasks like word processing and making spreadsheets and presentations.
Read the rest of this article at:
http://www.informationweek.com/news/software/enterpriseapps/showArticle.jhtml?articleID=219200383&cid=nl_IW_daily_html
Wednesday, July 29, 2009
Microsoft Accedes to EU Demands, Setting Bad Precedent By Paul Thurrott
Late last week, Microsoft announced something that virtually no one--myself included--saw coming. Rather than continue with its previous approach to dealing with antitrust regulators from the European Union (EU)--an approach that, frankly, was the technical equivalent of a middle finger lofted in the direction of Brussels--Microsoft said that it would simply accede to the EU's demands. It will allow Windows 7 customers in the EU to choose between competing web browsers via a so-called ballot screen. The company’s previous approach, the Windows 7 E Editions, which simply removed Internet Explorer from Windows 7, was apparently not radical enough.
Check out this article... (the evil empire may be crumbling)
http://ct.email.windowsitpro.com/rd/cts?d=33-70133-793-207-162433-3639221-0-0-0-1-2-207
Check out this article... (the evil empire may be crumbling)
http://ct.email.windowsitpro.com/rd/cts?d=33-70133-793-207-162433-3639221-0-0-0-1-2-207
Friday, July 10, 2009
Kon-Boot Lets You Bypass Logon for Windows and Linux
Kon-Boot looks like a very interesting tool since it can get you into a system without having to logon first.
According to the description at the tool's site, Kon-Boot alters a Linux or Windows kernel on the fly during boot up. The result is that you can login to a system as 'root' or 'administrator' without having to know the associated account password.
The tool reportedly works with Windows Vista, XP, Server 2008, Server 2003, Windows 7, Gentoo, Ubuntu, Debian, and Fedora.
All of you admins out there might want to give this tool a whirl to see how it works against your systems - before one of your users does!
According to the description at the tool's site, Kon-Boot alters a Linux or Windows kernel on the fly during boot up. The result is that you can login to a system as 'root' or 'administrator' without having to know the associated account password.
The tool reportedly works with Windows Vista, XP, Server 2008, Server 2003, Windows 7, Gentoo, Ubuntu, Debian, and Fedora.
All of you admins out there might want to give this tool a whirl to see how it works against your systems - before one of your users does!
Wednesday, July 8, 2009
Microsoft, What's Going On? IT Pros and Partners Want to Know By Paul Thurrott
Next week, Microsoft hosts its annual Worldwide Partner Conference in New Orleans, the first time the software giant has returned to that city in a major way since the Katrina debacle (at least to my knowledge). On the face of things, the WPC doesn't sound like it would be a thrilling event per se--images of CEO Steve Ballmer bounding across the stage caterwauling "partners, partners, partners!" notwithstanding--but this show has always offered up some compelling info about Microsoft's upcoming products. This year, on the eve of WPC, however, I have some questions.
Windows 7 and Windows Server 2008 R2
Microsoft previously announced that it would complete development of Windows 7 and Windows Server 2008 R2 in July 2009, so it's likely that the company will reveal that milestone at the show. But numerous questions surround these products, even in the wake of last week's Windows 7 retail pricing announcement.
For example, will businesses be able to get access to these products electronically before the October 22, 2009 launch date? And if not, why? And what about MSDN and TechNet customers?
Indeed, the sheer number of questions swirling around Windows 7 pricing, availability, and various upgrade issues is astonishing, especially when you consider that Microsoft had months to prepare for this event. The company could really clarify things a lot better than it has.
Office 2010/Office Web Applications
Last year at the Professional Developers Conference, Microsoft announced that it would deliver a beta version of its upcoming Office Web Applications (using the now-overloaded OWA acronym, with due respect to Outlook Web Access) by the end of 2008. Now 2009 is nearly half over, and it still hasn't happened.
We can expect a lot of Office 2010 pomp and circumstance at WPC next week, including the release of the previously announced Office 2010 Tech Preview (which leaked to the web over a month ago, by the way). But what about OWA?
Windows 7 and Windows Server 2008 R2
Microsoft previously announced that it would complete development of Windows 7 and Windows Server 2008 R2 in July 2009, so it's likely that the company will reveal that milestone at the show. But numerous questions surround these products, even in the wake of last week's Windows 7 retail pricing announcement.
For example, will businesses be able to get access to these products electronically before the October 22, 2009 launch date? And if not, why? And what about MSDN and TechNet customers?
Indeed, the sheer number of questions swirling around Windows 7 pricing, availability, and various upgrade issues is astonishing, especially when you consider that Microsoft had months to prepare for this event. The company could really clarify things a lot better than it has.
Office 2010/Office Web Applications
Last year at the Professional Developers Conference, Microsoft announced that it would deliver a beta version of its upcoming Office Web Applications (using the now-overloaded OWA acronym, with due respect to Outlook Web Access) by the end of 2008. Now 2009 is nearly half over, and it still hasn't happened.
We can expect a lot of Office 2010 pomp and circumstance at WPC next week, including the release of the previously announced Office 2010 Tech Preview (which leaked to the web over a month ago, by the way). But what about OWA?
Wednesday, July 1, 2009
GMail Security
Gmail users interested in enabling HTTPS before Google can do so by logging into their Gmail account, then click on the “Settings” tab, scroll to “Browser connection,” and then click on “Always use HTTPS” so the security feature will be enabled.
Yahoo Mail, Microsoft Hotmail, Facebook and MySpace also use HTTPS when logging a user into the service, but don’t have the security feature available once a user is logged in, according to security experts. Normally only sites such as banks and credit card web sites have permanent HTTPS connections, but there is growing pressure for e-mail services and other sites to support HTTPS at other times besides log in.
Yahoo Mail, Microsoft Hotmail, Facebook and MySpace also use HTTPS when logging a user into the service, but don’t have the security feature available once a user is logged in, according to security experts. Normally only sites such as banks and credit card web sites have permanent HTTPS connections, but there is growing pressure for e-mail services and other sites to support HTTPS at other times besides log in.
Tuesday, June 9, 2009
Windows 7 Mojo
Windows 7 By Paul Thurrott
By Paul Thurrott
Last week, Microsoft announced that Windows 7 and Windows Server 2008 R2 will be released to manufacturing (RTM) in the second half of July and will be made generally available to customers on October 22, 2009. This date is almost exactly one year after Windows 7's public unveiling at Microsoft’s Professional Developers Conference 2008 last October and well before the original timeframe Microsoft had allotted for its release.
As most of you are well aware, I've been evaluating Windows 7 since last year. Actually, maybe "evaluating" isn't the right word: I've been using Windows 7 day to day on all of my production PC hardware, giving up Windows XP and Vista almost entirely, since late 2008. And in this time, I've never run into any major issues, on any of the many, many PCs with which I've used Windows 7. This has been the most uneventful OS beta in Microsoft's history, from what I can tell.
In fact, I'd go so far to say that Windows 7 has brought the NT mojo back to Microsoft's desktop OS, and in a big way. (Side note: The Server team never lost its mojo.) And this is a big deal, as any NT old-timer could tell you.
To view the rest of this article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-66729-793-12070-162433-3303378-0-0-0-1-2-207
By Paul Thurrott
Last week, Microsoft announced that Windows 7 and Windows Server 2008 R2 will be released to manufacturing (RTM) in the second half of July and will be made generally available to customers on October 22, 2009. This date is almost exactly one year after Windows 7's public unveiling at Microsoft’s Professional Developers Conference 2008 last October and well before the original timeframe Microsoft had allotted for its release.
As most of you are well aware, I've been evaluating Windows 7 since last year. Actually, maybe "evaluating" isn't the right word: I've been using Windows 7 day to day on all of my production PC hardware, giving up Windows XP and Vista almost entirely, since late 2008. And in this time, I've never run into any major issues, on any of the many, many PCs with which I've used Windows 7. This has been the most uneventful OS beta in Microsoft's history, from what I can tell.
In fact, I'd go so far to say that Windows 7 has brought the NT mojo back to Microsoft's desktop OS, and in a big way. (Side note: The Server team never lost its mojo.) And this is a big deal, as any NT old-timer could tell you.
To view the rest of this article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-66729-793-12070-162433-3303378-0-0-0-1-2-207
Subscribe to:
Posts (Atom)