Anatomy Of A Break-InAnatomy Of A Break-In

We acquired information critical to the company's success, such as financial information, key project status, multibillion-dollar proposals, and other insider information. We also accessed information that could have compromised the CEO's personal safety, such as the tail number of the private jet he uses to fly into high-risk areas.

We got to the CEO's information through other means as well. Our espionage simulation included physical walkthroughs, and we specifically targeted the information-systems and human-resources departments and the executive offices. Again, the card-access systems gave us access to all the necessary facilities. Although some people didn't leave anything that could give us access to sensitive information, more than enough people had their passwords hidden in plain sight--taped to monitors or under keyboards--that we could access their accounts and, therefore, other people's information.

In the executive offices, keys and passwords, while not universally available, often were easy to find. For example, the CEO's secretary had the CEO's password written on a piece of paper inside her desk, even though the password was his first name. We gained access to the secretary's desk by finding a set of keys in another desk in the executive area. Also inside the secretary's desk was a key to the CEO's office. We had similar success getting data from the offices of the CFO and general counsel.

Then there were the Unix systems. By the second day, the CIO thought we could take some chances that I advised him we wouldn't take in real life because we already had the ability to control all the systems remotely. He specifically wanted me to get physical access to the network operations center.

Jeff found out the name of a technical support person who was away for a week. Sporting our headquarters access badges, we drove over to the network operations center, walked up to this building's receptionist, and told her we were there to see the person we knew was away. She told us he was out for the week. I replied that we were with the audit staff and needed to make sure we had all the systems cataloged in advance for the upcoming audit. I said we'd been told that person would show us around the center so we could count the systems. She volunteered to show us the facility.

We had planned how the attack would go. Jeff was to stay near the woman, and I would wander out of sight. As in most such operations centers, system names and IP addresses were taped to the system boxes. We recorded the names and addresses. While Jeff was distracting our escort and I was out of sight behind an equipment rack, I pulled something out of my bag and put it in the racks as if it were a network tap. After a couple of minutes, we told the woman we had everything we needed, and we left.

Spyware Installed
From a technical perspective, Kevin had found critical vulnerabilities in the network operations center's main servers before our visit. The systems appeared to be well-patched. However, staff members didn't check the servers regularly for vulnerabilities and missed reinstalling all patches when they reloaded operating systems. Because of the nature of the vulnerabilities found, we would have had to reboot the systems to finish the compromise and get root privileges on the critical servers. We didn't want to bring down the system, so Kevin came up with an alternative attack.

Thanks to the password-cracking Kevin had performed, he compromised the Sun admin's desktop system, which was actually a Windows system. He installed spyware that let him watch the administrator's activities and control the system. We waited for the admin to perform a remote logon to the Unix systems, which would let us capture the admin accounts and passwords. Although we didn't need to do this because Kevin had identified vulnerabilities on the servers, it was a way to get root access without bringing down the systems. We eventually got the admin accounts for the Unix network. This, of course, provided an immense amount of engineering and project data.

All in all, this was a busy two days--yes, two days. Generally, all company information was available to us. We didn't have any information that a malicious party couldn't have found independently and with minimal effort.

Although some might say we were just lucky, my teams consistently have this level of success in this time frame. The people who will cause you the most harm are the professional and malic-ious criminals who want to access your information or cause you damage without being detected. Although these criminals might not get the same results as we did in two days, they very well may have more funding and time than we did and could use those to their advantage.

Ira Winkler, CISSP, is president of the Internet Security Advisors Group and the author of Spies Among Us (Wiley, 2005). This article originally appeared inSecure Enterprise, an information sister publication.

Illustration by Michael Morgenstern