The Bad Guys Are in the House
By J.F. Rice
September 21, 2011 — Computerworld — Last Friday, as I was tying up loose ends at the office, preparing to wind down in anticipation of the weekend, I made a terrifying discovery.
It started with an IDS alert, and ended up when I discovered a problem on one of my company's firewalls -- a serious problem.
One of the things I've been working on recently is building a new network intrusion-detection system (IDS). It's been on my security road map for a while now, but our new budget constraints have made it hard to keep the project moving forward. To get my IDS sensors deployed has required a combination of scare tactics (which I hate to use, but desperate times call for desperate measures), outsourcing and old-fashioned, do-it-yourself resolve. For the past several weeks, I've been gradually making progress. The IDS sensors are in place, reporting to a security incident and event management (SIEM) system that correlates all the alerts along with log entries from network devices and servers, antivirus systems and other technologies. It's a pretty cool system, and having been done on the cheap, it provides great bang for the buck.
So, on this Friday afternoon, I was sorting through the alerts being generated by the new system when I ran across something odd: a large number of remote desktop connections from the Internet into some computers on our internal network. In his Aug. 22 Security Manager's Journal, Mathias Thurman referred to remote desktop as "probably the top method for unauthorized access." It's certainly not something I expected to see coming from the Internet. At first, I thought it must be a false positive, or maybe it was just a poorly designed access method for some remote vendor. In short, I didn't believe this could actually be happening.
But on closer inspection, it turned out that those remote desktop connections were all originating from another country -- one that is, shall we say, less than friendly with the U.S. A country that recently made headlines with state-sponsored network attacks against some famous U.S. companies. A country that now appeared to be connecting to my company's computers!
Well, that was the last thing I wanted to see on a Friday afternoon. But there was no way I could leave without knowing exactly what was going on. I cornered the network admin. (In my company, firewalls are considered part of the network plumbing and as such, they are managed by the network team.) I told him I needed to see the policy configuration on the firewall in front of those systems. Within seconds, he produced the requested information, and even though I thought I was prepared for the worst, I was physically shocked at the result.