Tuesday, June 17, 2014

Augusta's HORRIBLE drivers and Network Insiders

I have been having this thought circling my overly-active...for about a week now.

I was driving home from the VA hospital last week, taking one of my normal, short routes to get home. One particular stretch of the road I was on has three traffic lights all within [about] a half-mile total. These lights are, naturally!!!, timed so as to make you stop at each of the three. However, there is one exception to the stopping rule: the "I don't care/I'm more important than anyone else on the road/It's my right/" attitude. At least this is what I personally believe is [at the least] a large portion of their attitude about red lights and what red lights mean.

To put it simply, as I pulled up to stop at the first of the three traffic lights, there was a fellow going the opposite direction as me who just had to make a left turn, despite the light having already been changed from Yellow to Red. Yup, this ignorant/selfish/lazy/stupid person ran the red light. However, that's not even the worst part about the bad HORRIBLE drivers around this town?

Granted, Augusta, GA certainly has [much] bigger problems then schmucks running red lights. However, the interesting, (and absolutely FRUSTRATING) fact here in Augusta is that at least ~90% of the red lights get run...this is my perception at least. This poses an additional need to be extra-vigilant, always watching ALL of the other lanes at an intersection and waiting at least five or ten seconds before entering the intersection (if you're the first car in your lane).

    A couple of quick points on the problem:
  • The driver running the light isn't really doing anything out of the ordinary, based upon the "normal" behavior of drivers in this area
  • But they are still breaking the law, trying to sneak by the rules and sneak by any cops (if the cops would even pull them over)

    A couple of quick points on possible fixes:
  • Have more cops (and make them write the tickets)
  • Have the cops learn what to watch for, especially in terms of that one 1987 Oldsmobile Cutlass that starts gunning it while still being 100' from the signal

By now, my three (if I have even that many) followers may be wondering: What in the world does the poor driving habits of people in Augusta, GA have to do with anything network related? The simple answer is: "Nothing."...Directly that is. But some certain things stuck out the other day that reminded me of a common network problem, so let me see if I can tie these two things together.

Can we think of all of the cars on the road in the city of Augusta, GA as representing user/machine activities on a network. For instance, one car could be used to represent a user transfering a file while another car could represent standard AD replication between multiple DC's. If you can think along these lines, then I believe it will be easy for you to make the same leap that I did.

When I was thinking about all of these cars in the turn lane, I came to the conclussion that they could be placed into two distinct catagories, despite any number of small, and large, differences in either the vehicle(s) or the driver(s). These two catagories are: safe drivers, and unsafe drivers. Now, think about what they are doing: they are making a turn, the same turn, roughly going the same direction (although the tires of each car may not follow the exact arc of another).

Now, and my brain did this auto-magically so I might be wrong, but it's not a far leap to translate the drivers of each car into "Users." As the drivers are all driving, the "Users" are all..."using"...a network, a resource, a device, etc. This is the point in my thinking were I came to draw a correlation from the drivers making the turn to one of the biggest problems we face in network security: The Insider! So who is the insider in my analogy and can this do ANYTHING for me, or others, in terms of finding that insider?

Who is the insider in my turning cars analogy: It's easy....it's the baby in the backseat! ...just kidding. The insider is represented in this analogy by the idiot jerk, or even JERKS, who run the red light instead of waiting for the next green light. Those that made the green, and even yellow, lights are the users performing "normal," authorized activity on the network. Maybe that driver who forces the yellow and it changes while they are still in their turn, that driver could possibly be lumped in with the jerks who just run the red light. Your call there, because I honestly don't know that it matters to my overall thinking here.

So I have told you all about the poor driving in Augusta, GA and about how I easily correlated that into network activity, especially the inside threat. Now what? Here is where my head started to hurt the other day. I wonder if an algorithm could be defined to identify those who are GOING to run the red light, before they run it...or as soon as they put more pressure on the gas pedal? If this could be done then I believe an algorithm can be created to better identify an insider threat...maybe not as early as when they are just "thinking about it" or testing their access, but at least as early as the start of that first file transfer or copying action. Thinking about this has led me to some other thoughts regarding protection from the insider (and detection?).

Budgeting for your company's security may be a difficult or even non-existent task due to financial constraints/availability. However, I wonder about some of the bigger equations and books that throw around terms like Risk, Mitigation, Return On Investment, etc. Do we not already have at least 50% of the needed functionality to start working towards identifying and/or stopping insider threats/breaches? Do we not already have at least 50% of the tools needed to turn those terms into action...to put our brain where are mouths are, so to speak?

Some questions/thoughts:
  • Can you baseline your network in terms of:
    • The average time window that each user is logged in?
      • If so, then why not block them out of all times outside of that window? Sure you may have someone stay later than usual on rare occasions, but in that instance they could conceivably call the help desk for a short logon time extension.
    • The average number of bytes each user sends [somewhere]?
      • Then users could be grouped and rules utilized for abnormal data sends.
      • For example, you baseline and find that ten of your users send less than 10MB of data via SMTP between 9:00a and 12:00p. A rule firing for 10.01MB of data transfered, or maybe even using a calculated tolerance (say, 10%?) would alert those monitoring said rules
  • Do we really have any excuses left to not start making better usage of access controls
    • Windows Group Policies and ACL granularity have improved a lot in the last couple of years
      • Would it be that hard to create a security group for only those allowed to access a particular file
        • AND apply time limits
        • If it's an Office doc, the Directory Rights Management provides even more help here
    • *NIX systems support finer grained access controls
  • Implementing a two-person rule
    • I envision something akin to the User Access Control prompt needing the credentials of an administrative user
      • As two-person rule, the credentials would have to be of someone else who is already authorized to access the material
  • Is user training really effective against the insider?
    • NO! Absolutely NOT!
I cannot be the first one to have any of these thoughts or to present any of these questions. I wouldn't be surprised if these thoughts and questions hadn't been floating around the security nerd cubicles for the past 20 years. I wonder though, are we, people in general, getting more and more complacent about what we do, what we see our office mates do?