The Case Study of Acme Widgets Inc.
In this report, I have given description of mistakes made my Acme Widgets Inc., which led to Darth being able to attack the company and completely took over their entire systems and network. Furthermore, I have developed and analyzed a new policy that can be implemented by Acme Widget Inc. or any other company that wants to prevent such kind of attack or other attacks on their network.
Firewall, IDS, DMZ, Network Architecture, Network Policy.
The type of equipment, Operating System (OS), network design and architecture, software, policy and practices that an organization implements determine the strength of their entire network and the level of vulnerability. Many mistakes were found on the Acme Widgets Inc. network ranging from the architecture of the network to configuration, ethics and policy they follow. These led them to being attacked by an angry customer who decided to revenge and punish them.
This report explains in details the various mistakes made and what could be done to counteract/protect this similar situation. Section two gives the mistakes that were found on Acme Widgets' network, sections three gives the new policy that is recommended and provides countermeasure against the mistakes and attack made. Section four concludes this report while in section five are my acknowledgements.
2. MISTAKES FOUND ON NETWORK
2.1 Mistakes in Network Architecture
All material on each page should fit within a rectangle of 18 x 23.5 cm (7" x 9.25"), centered on the page, beginning 2.54 cm (1") from the top of the page and ending with 2.54 cm (1") from the bottom. The right and left margins should be 1.9 cm (.75").
- There was a clueless system/user on the company's network. It was mainly the clueless user's PC that gave Darth (the attacker) the first and vital access to the company's network.
- Apart from the main Firewall and DMZ zone created to protect the internal network, the design of the network's architecture did not have any internal firewall or DMZ that can block attacks. The network should have had internal firewalls/IDS configured that can block attacks. This can also be achieved by installed systems antivirus software applications that have built-in firewall and IDS/IPS. Darth would not have a successful network scan if there IDS/firewalls located on the internal network.
- Company's Management Console and Internal DNS were placed in the same VLAN as other users/workstation. This makes the systems to be prone to attacks and that is one of the reasons that made Darth to take control of the entire network.
- A switch was used in the construction of the Internet DMZ, which is not a good architectural implementation and design.
- There are configuration problem in the firewall/IDS that Acme uses because a well configured IDS and firewall will detect and prevent attacks, especially in this case where Darth stayed very long on the network without being detected.
- The network and some systems were not well configured as there were some open ports (well-known ports) and Internet-accessible systems on the network. A well configured network should not have open ports especially the well-known ports
- There was plain old modem on the network, which gave Darth access when he used the war dialer, THC-Scan to dial range of telephone numbers he found on Acme's network.
- Darth got nudge response from the old modem and discovered Acme runs PC Anywhere (PCA) server while he has PCA client on his own computer. He got easy access due to this system (the clueless workstation).
- The PCA server was placed on a clueless system and it was configured with no required username and password. Darth dialed and got response and connection to the PCA without being prompted for any username or password. This was a simple vulnerability that made it an easy access for Darth.
- There was an old Windows NT system on the network, which does not meet up with the latest Operating System's requirement and doesn't measure up to the OS installed on other workstations.
- Attacker was able to install Back Orifice 2000 Server, which is a Trojan Horse Backdoor Malware. This was not detected or prevented by the installed antivirus program and was allowed to function/spread.
- Darth was able to disable the antivirus program installed on the system. A good antivirus program would not have been disable or would automatically re-enable itself. There should also be a required password to uninstall or disable the antivirus.
- For the attacker to achieve his aim, most of the systems on the network would have been running with administrative rights else the attacker won't be able to achieve all he did. He was able to install many software or programs which run better with administrative privileges.
- The network administrator made a mistake of entering a username and password twice. He should have notice that unusual event and could have traced it.
- There was also a weak internal DNS Server running old version of BIND with buffer overflow vulnerability.
- The Internet firewall was configured to allow incoming and outgoing HTTP traffic without the administrator checking on the traffics and firewall logs on a regular basis.
- There were too many telnet sessions going on at the same, which gave access to the attacker and would be difficult for the network administrator to monitor or trace all telnet sessions going on at the same time.
- A web server should not have been fixed on the firewall and since it was put on the firewall, the login screen should have been designed with the company logo or some kind of trademarks to help identify legitimate log-on screen from fake login screens.
2.2 Mistakes in other parts: Configuration, Policy and Ethics
The firewall administrator suspected network problem but she said it "must have been a network congestion or a bug," then entered her administrator's username and password a second time. This should have made the firewall administrator to inspect and check all necessary installation, configurations and functions of the entire network, servers and workstations.
3. NEW NETWORK POLICY
This section describes a new network policy for Acme Widgets Inc. Adopting this complete policy would aim detection, prevention and the protection of the company network against this similar attacks and probably some other types of attacks.
3.1 Architecture of the Network
On no circumstances should there be a clueless workstation or user in the company's network. All computers, network elements and users must be identified.
All DMZs/firewalls must be implemented with routers and never with switches. There must be Internet and Internal DMZs/Firewalls protecting the network at all time and the firewall administrators must have routine checks on all firewalls/DMZs as well as other network equipments.
Vital Company computer systems such as the Management Console, Financial Systems, MD's system, DMD's system and Internal DNS and other servers must have their own VLANs and must be protected by internal firewalls/DMZ.
Modems should not be used in the configuration or building of the network but when it must be used, strict measures must be implemented. It must be configured to dial only specific numbers and when not in use, it must be shut off to avoid dialing into. Open ports must be avoided on the entire network and if/when one or two ports are left open, there should be monitoring and firewall that inspects and reports activities on them.
3.2 Operating System Policy and Patches
A policy and standardization of using the latest OS on all computer systems and network elements must be adopted. The OS must be the type that is certified to implement good and tight system and network securities. The OS should be frequently updated with available OS updates and other relevant OS/software patches. Any system left unpatched is open to vulnerabilities with could lead to attacks or virus/malware infections.
All systems must be configured with the automatic download and installation of update options, while users and administrators must also ensure these options function effectively and that no user disables them.
3.3 Authorization and Authentication Policy
All users, computer systems as well logins must pass the adequate company authorization and authentication policy laid down by the company and administrators must ensure this policy implemented properly and that everyone passes it. On no account should a user be requested to enter the same username and password more than once, if this occurs, the affected person should not re-enter the details and should report the incidence immediately and a change of login details should be effected by the administrator.
3.4 Encryption Policy
In line with the industry standards and best practices, the all combination of username and password supplied at every point in time must be encrypted; it should not be transmitted in plain text form. No username and password must be left unencrypted or transmitted in plain text, either within the internal, intranet or Internet network. Very good and reliable encryption algorithm must be selected in order to ensure decryption and attacks won't be possible.
3.5 Logins, Privileges and Access Rights
All staff logins within the network and outgoing must be identified with their usernames which should be combination of their real names. This will aid indentifying staff and noticing illegal login attempts. There should also be passwords for everyone and laid down routines/policy on when and how to change passwords, which the administrators must permit.
Staff must have the ordinary 'User' rights and not 'Power User' or 'Administrator' rights. Making staff have Administrator or Power User rights give them privileges such modify, install, uninstall, configuration and so on, which can harm the systems/network. If an attacker gains access under the ordinary User right, he would be limited and would not be able to achieve his aim.
3.6 Choice of Antivirus and Anti-Malware
There are various viruses, Trojan horses, spyware, malware and so on, which spread and usually aid or lead to successful attacks. These and many more vulnerabilities that can be exploited must be prevented and protected adequately. In order to achieve this aim, the company network and systems must have very reliable antivirus and antimalware software.
The company should purchase, install and configure strong antivirus and antimalware to detect, prevent and protect the computers and other network elements. The antivirus and antimalware must have automatic updates from vendor server, IDS/IPS, firewall capabilities, and many more to protect all kinds of attack.
This report explicitly gives the details of mistakes made my Acme Widgets Inc. that allowed Darth to achieve the aim of attacking the company's network. The mistakes were enumerated ranging from their network architecture to their ethics, configuration and policy mistakes. New policy was described to aim prevention and protection of the company's network if implemented. The can also be adopted and implemented by other related companies.
Special thanks to the teacher, Fredrik Erlandsson for taking the good course and for allowing me to upgrade the course from C-Level to D-Level by completing this special assignment. My gratitude to the entire Blekinge Institute of Technology as well.
 Stallings, W. 2007. Network Security Essentials. Applications and Standards.