Case Study #3 – Firewall Burning with Traffic From Unknown IP Address

The Information Systems department of a large Canadian corporation noticed that there was a lot of traffic on one of their internal servers from an outside IP address. After a brief investigation, they were able to determine that someone was accessing their information illegally from a server based in China and that data was being transferred to this server.

Our staff were called and responded immediately to assist the client in answering the most immediate question. “Do we leave access open to the hackers or do we shut them down”.

mr-cup-fabien-barral-86068.jpg

The natural tendency would be to shut them down immediately; however, this may or may not be the right decision. At this point in the investigation, all we knew is that they had access to a particular server. We did not know what information they had access to and whether or not other servers had been compromised. Even worse, we did not know if they had planted any code on other servers which would allow back doors into the system once they were shut down. Do we take steps to identify who the perpetrator is, with the intention of understanding the full scope of the breach and collecting enough information to understand the full depth of the breach and gather enough information to report this to the authorities?

The decision was made to carefully monitor their activities and understand the full extent of the breach. In this case, it was the correct decision as we were able to determine that other servers had also been compromised. We were then able to determine what information had been stolen. It was at this point that accessed was denied to the hackers.

There was some company confidential information stolen, but knowing exactly what was stolen allowed the company to manage that. There was no personal information stolen.

patrick-lindenberg-191841.jpg

What still needed to be investigated was how the hackers were able to gain access to the system in the first place. This led to a detailed review of all of the firewall traffic and its rule set. We were shocked to find an “*any *any” rule embedded deep down in the rule set. Firewalls have very well defined “rules” in place. Let us say for example that you have a regional office located in Vancouver that has a different IP address than your corporate office in Toronto. One rule may say, “Any traffic from the IP address in Vancouver is allowed”. If an IP address satisfies a rule, then the traffic is allowed to pass. If the IP address goes through all of the rules and does not meet any of the criteria for any of the rules, then that traffic is rejected. An “*any *any” rule says that any IP traffic from anywhere is allowed to pass. In other words, it was if there was not firewall in place at all.

There are very few people in an organization that have access to the firewall. The list of authorized people was quickly put together and interviews conducted. It wasn’t long before one of the select few who had authorization to the firewall admitted that they were being blackmailed.