About eight or so years ago I was providing support at a small upstart company here in the DFW metroplex. The business was growing pretty rapidly and had a pretty sophistacated network that was segmented by department, several servers of mixed flavors, used AD for user management, enterprise level "traffic control" with Cisco equipment, and all wired. It was a sweet setup. They had wisely spent some money on doing their network right and had plenty of room to grow. This was before Sarbanes-Oxley, when smaller companies first started thinking about security, but it was only half-assed implemented if at all. When they decided the time had come to add a shipping department, someone had cobbled together a small wireless network using SOHO equipment, and that's where the problems began.
One day my co-worker and I decided to check some things out in shipping. They had been complaining about dropped connections and printer issues, nothing out of the ordinary. The router usually needed a quick reboot, and printer problems usually revolved around ink, user, or driver issues. No big deal. Everything was running smoothly, no issues from other departments, so we decided to go in tandem and resolve them.
Normally someone would perform a quick reboot of the router to get the connection back. Sometimes the employees would do this as well, but lately they have been pushing for a better router. My co-worker decided to log in the router and check it out while I dealt with a low ink cartridge. While "in" the router, my co-worker calls me over to have a look. There were two wireless on this particular segment connected at all times. Always. Now there were three. Houston, we have a problem.
After verifying that the employees were not using an unauthorized machine, we went outside. In an adjacent parking lot, which was always empty, sat a lone car with someone in it. As we approached the car, it drove off and disappeared quickly. We checked the router again, and the connection count was back to two. The network had been compromised.
Luckily, the new segment didn't have system-wide access. After viewing router and server logs, we were able to determine that nothing of any value had been compromised. We caught him in the act. But back then there was really nothing we could do except secure that router and upgrade it. Today it would be a different story. It taught us some important lessons that sticks with me today:
- No target is too small.
- Always thoroghly secure a wireless device.
- Don't become passive with seemingly unimportant or temporary setups
- Log into ALL network equipment and read logs regularly.
- Don't use cheap equipment for enterprise purposes.
No comments:
Post a Comment