Li Zonghan/Deputy Editor-in-chief of iThome
This year’s Data Security Summit is more extensive than ever. In such event, I had the deepest feeling about one topic which was management and control of internal threats. On the last day, two courses focused on such topic: “data security is the perfect combination after alternation of defense and attack” by FineArt data security consultant Chen Boyu and “External thieves can be easily blocked but internal thieves can be hardly defended against: a view on the blind spot of internal threat management based on Snowdon Case” by Yang Boyu who is the Chairman of Taiwan Branch of International Industry Security Association.
In Chen Boyu’s analysis, he mentioned the impact and source of internal threats. Then he demonstrated the intrusion status at three levels. He briefly described various devices which can be used for stealing and intrusion into the internal environment. Then he connected the test computer to Teensy which is a USB development board to simulate the USB keyboard for the purpose of making the operating system treat that only the keyboard is connected to bypass management and control by computer peripherals (if only USB storage devices are disabled). However, actually we can execute instructions such as PowerShell, WMIC (WMI command-line).
If the software of USB Rubber Ducky is used for re-writing for integration onto Teensy, many malicious access acts can be executed. Therefore, such tact of performing physical infiltration via human interface devices (HID) is necessary to be on our guard.
By mentioning the second example, he discussed the possibility of infiltration by virtualizing such VDI environment for desktop and applications. Although based on such architecture theoretically the user can only execute limited applications but cannot affect the system and desktop environment behind the applications, there are still some vulnerabilities with respect to the operating system and applications due to such isolation and we should specially keep alert on this tact.
For example, the Office VBA program code can be executed when a file is opened in the Microsoft Office application. Therefore, a DOC or DOCX file may be edited on another computer to embed program codes which can access the levels of the operating system, such as cmd.exe. So, when the user logs onto the VDI environment of the enterprise, executes the Word file and opens such file, he or she can start up the command prompt to perform other acts not permitted.
Another scenario is the sticky key for Windows which is originally intended for facilitating the keyboard operations by the user. If the user presses the Shift, Ctrl, Alt and Windows keys five times, a window will pop up to ask the user whether to enable the function.
However, in the VDI environment, executing any application on the Windows graphical interface can switch to the console on the operating system, then switch to any folder on the hard disk drive of a virtual machine from the path column and open the Windows file administrator program which is equivalent to entering the part which general users should not enter.
In the third demonstration, Chen Boyu described that an employee of the company may retrieve the computer screen as pictures and obtain secrets that must not be disclosed under the circumstance that the computer is monitored by the company by using the computer screen and adaptor wires for built-in memory storage cards.
Yang Boyu described the confusion of current security management by taking Snowdon Case as an example. Additionally, he called on the effort from all sides to comprehensively weigh the advantages and disadvantages based on threat sources and potential harms. He should confirm whether to take relevant measures rather than judging the friend-enemy relationship based on the stereotyped image. After the Snowdon Case, the lessons that we should learned were not under-estimating internal threats and we should be more cautious on the weighing between efficiency and security; otherwise, we may pay a price that we could not imagine for the security due to the efficiency increase and cost saving.
The source causing such consequence may be your heeler or colleague that you greatly trust. The counterparty may have motive due to unsatisfaction or be exploited by others under the circumstance that he does not know the truth and this will destruct internal trust inside the enterprise greatly.
Source: iThome / https://www.ithome.com.tw/voice/121987