Unauthorized access

Unauthorized access to data through the compromising of computer security is known also as hacking. Ideally any organization should have some kind of incident response plan to deal with hacking incidents but resent research shows that that they do not. More over the threat of hacking by insiders to organizations is far more serious than outsiders, and the potential for damage to organizations today from this threat is even higher today than it ever was in the past.

Internal and external unauthorized access

Computer security specialists normally distinguish between internal and external network attacks. This is because intruder profiles, methods of attack and intruder objectives can vary significantly between internal and external attacks.

External attacks

Attacks where the intruder has no privileges on the target network, and either gains access from outside the network perimeter (usually the firewall), or by evading or undermining the target’s physical and/or network security measures to achieve some degree of access to the target’s internal network. External attacks can be made against the internal network, using the target’s own computers. This is often done with the active or passive collusion of the members of the target’s own staff. However, if the ultimate initiator of the attacks is someone holding no legitimate privileges on the network, then it is considered an external attack.

External attack techniques

There are many ways of compromising a computer network from the outside:

  • Access through weak, stolen or lost credentials – the most common form of attack
  • Access through malware infection – This is also common mode of attack. A user activates a “Trojan Horse” program or other kind of malware, intentionally or unintentionally, that opens access to their network.
  • Access through compromise of remote access systems – Making use of the target’s own remote access connections.
  • Compromised third-party access – Instead of hacking the target, the attacker hacks an individual or organization known to have access to the target’s systems.
  • Access through physical penetration – Gaining access to computer networks by actually entering the target’s premises.
  • Access through modem dial-up – Some organizations still maintain dial-in connections for legacy systems. These can be very insecure.
  • Unauthorized access with co-operation of the organization’s staff – By threatening or subverting members of staff or placing confederates on the staff of the target organization.
  • Access through wireless systems. Wireless (Wi-Fi) connections are particularly problematic as they can be difficult to set up securely, can be cheaply set up on networks by users without the knowledge of IT staff and if compromised can provide direct access to internal systems, bypassing network perimeter security.
  • Direct penetration through perimeter systems – Perhaps the most difficult and least common approach.

Internal attacks

Attacks where the intruder has legitimate privileges on the target network. Access is obtained using existing privileges, privileges the intruder has extended without permission, or privileges stolen from other users. The objective of the intrusion is to gain access to data and resources to which the intruder is not authorized. Internal attacks are typically far more common than external ones.

Internal attack techniques

“Insiders” already have credentials and privileges on the target network, and have direct access to systems computers inside the network’s secure perimeter. Insiders usually have more time and opportunity to discover how to gain access to restricted systems and directories. They are also more likely to know which computers contain the material of most value to them:

  • Unauthorized access by IT personnel – In organizations a disproportionate amount of unauthorized access is carried out by members of the IT staff, largely because they are most likely to have high-level computer security privileges.
  • Unauthorized access by non –IT staff with high-level privileges – Non-IT users should not, generally, have high-level network security privileges, but we occasionally find cases where this has happened. In other cases we have seen non-IT users obtain these privileges through hacking, persuasion, bribery, threats or outright theft.
  • Access through theft of other users’ credentials – Some ordinary users are given access to systems restricted to others. It is not uncommon to find such credentials stolen from their holders, or even voluntarily shared by them.
  • Access to inadequately secured systems – Some sensitive systems are simply not given sufficient protection, and can be straightforwardly compromised by intruders without high level privileges.

Mitigation
External attacks
With external attacks it is often very difficult to take legal action against an intruder, so the priority must be as follows:

  • Identify and secure affected systems – if necessary by powering systems down.
  • Identify the point of intrusion and close it off – if necessary by powering systems down.
  • Sweep affected systems for backdoor software or rootkits. If it is not certain that all have been cleared – restoring affected systems from backups.
  • Preserve all key log files on computers, firewalls and other network devices.
  • Change all passwords and other credentials – prioritizing administrative and high-privilege accounts, including those assigned to services such as the backup system.
  • check security patch status of all systems and patch all deficient computers to current

Internal attacks
Internal attacks are more difficult to control, as the intruder cannot be shut out of the network perimeter, and may be in possession of legitimate network privileges.

  • Identify and secure affected systems – if necessary by powering systems down or isolating systems.
  • Disable any user accounts suspected of hacking, or of having been compromised.
  • Create computer forensic images of key affected systems. These will be necessary to identify the source of any internal intrusion and to take legal action afterwards.
  • Preserve all key log files on computers, firewalls and other network devices
  • Enhance physical security measures. Ensure no trespassers are present on organization premises.
  • Sweep affected systems for backdoor software or rootkits. If it is not certain that all have been cleared – restoring affected systems from backups.
  • Change all passwords and other credentials – prioritizing administrative and high-privilege accounts, including those assigned to services such as the backup system.
  • Check security patch status of all systems and patch all deficient computers to current.