The Devil You Know: Responding to Interface-based Insider Attacks

Carl made a mistake. In his repetitious data entry job he entered employee information every workday. He always was careful to input the correct job requisition number in the user screen's JRN field. "Without a correct JRN entered, the new employee input won't process," his supervisor told him the first day. This time instead of "34896KN" his fingers danced the wrong way with an input of "34896KL." The input processed. Carl was able to go into the EMP_DATA file and correct it. The procedure was a bit of a pain, but he learned a valuable lesson his employer never meant for him to know. He realized he could set up bogus new employees on the payroll using a dummy JRN. By entering the wrong input he won the jackpot - his employer lost big time.

It is estimated that up to eighty-five percent of attacks are perpetrated by insiders. These attackers often stumble across weaknesses in the user interface design, and hijack them as vectors for system compromise. As these attackers are already on the network, they do not have to circumvent peripheral network defences. Instead, they are able to use their computers, computers they are fully authorized to use, to gain illicit access to information. Many of these attacks take advantage of problems that are inherent in user interfaces.

Since interfaces seek to be user-friendly, they often make the intruder's job easier. Investigators need to understand the vectors for attack interfaces offer. The article makes suggestions for investigators and response teams to detect and investigate interface-based insider attacks. It is also hoped that this article will provide the basis of incident response policies for responding to and investigating insider attacks that exploit interface-based vulnerabilities.

The link for this article located at SecurityFocus is no longer available.