Compromised Systems – CompTIA Network+ N10-006 – 3.2

If the bad guys can gain access to a system, they can use it for many (often bad) purposes. In this video, you’ll learn about compromised systems and how a single compromised system can ultimately cause the theft of over 40 million credit card numbers.
<< Previous: VLAN HoppingNext: Insider Threats >>

A compromised system is valuable to the bad guys in many ways. One of the big reasons for wanting to own a device that’s inside of your network is that most of your security is on the perimeter of your network, designed to keep people from the outside from coming inside. But once you’re on the inside of the network, you have much fewer security controls in place, and it makes it much easier to move around the network if you have something on the inside you can use as a jumping off point.

But it’s somehow getting inside of the network that’s the hardest part. It’s usually very easy to get out once you’re inside, but it’s getting through that very hard shell around the perimeter of the network that is really the most difficult part. This is why you see so many attempts to try to get you to click something in an email. It’s either spam, or phishing, or an executable that can then run on your desktop so that the bad guy can then gain access to that device on the inside of your network.

This is a very good reason why patches are so important. You want to be sure that every possible vulnerability and hole in an operating system or an application is completely filled in. You don’t want anything that would allow the bad guys to gain access to your system. Once the bad guy gains access to your system, he is in complete control. He can then decide whatever he would like to do with your system. He can have this act as a robot or bot, where that device can send spam messages or participate in a distributed denial of service attack.

Maybe he’s going to sit on your system and watch as you type things into your keyboard as you visit a financial site and you login, he now has the key strokes of your username and your password and has all of your credentials for every site that you visit. Maybe his goal is to simply display ads and other information to you because there’s obviously money to be made in advertising. He might also have you try to click on something as a phishing attempt to try to get even more information from you.

And of course, it’s a jumping off point. It’s a place on the inside of your network that the bad guy can then use to move wherever he would like. A very large and highly publicized compromise happen with Target in November of 2013. Every point-of-sale terminal in Target was infected with malware. A third-party was able to get access to the inside of the network and install their malware on every point-of-sale terminal. This happened because a third-party vendor was given access into their normal vendor systems at Target. And they first received an email attachment that had inside of it a PDF file that infected their local machine.

The vendor didn’t have a formal security policy that required real-time antivirus. And as soon as they clicked that malicious attachment, the machine was infected. When the vendor then connected to the target vendor network, the malware was able to jump from the vendor’s network into Target’s network. And ideally it would have stopped right there, except Target did not segment their vendor network from the rest of the Target corporate network. And it was very easy at that point for the malware to then get inside the Target corporate network.

Once you’re there you have access to all of the point-of-sale terminals. And ultimately, 40 million card numbers were compromised and sent out of Target’s network into the hands of the bad guys. Recovering from a compromise can be a very difficult thing. You first need to have some type of backup. You need to have some data that you know is good. And then you’re able to restore that information.

You may have take the user’s data and copy it off to a secure location so that you can then remove that compromise from that computer. Before changing anything on the drive, you may want to make a forensic copy of the drive. You want to have all of that information available if you need it later. And certainly when there are legal issues involved, it would be good to have some of the original data that you can reference. This is one in many cases where you just want to remove everything and start fresh.

You can never be 100% sure that you’ve removed a piece of malware from a device. So it’s very common that organizations will completely remove all data on a drive, re-image the entire drive from scratch so that you can be 100% sure that that malware has been removed.