In the first two parts of this covered the idea of security and physical security.  We now move into access security.  Access security is a highly religious topic, bent with emotions, misinformation, egos, principals and typically (worthless) corporate policy so prepare for battle on this one if you dare tackle it.  Let's dive right into this using our previous example of an office building and I'm looking for a port to plug into the network.  How long will that take?  Virtually no time, they're everywhere, which leads me to my first not-really bold statement of this post.

Network access cannot be controlled.  If you haven't heard this yet, let this be the end all.  Under no circumstance can any company in today's world do business without having network access available to the world, period.  Clients, employees, your own staff need access to the net at a moments notice for a variety of business reasons (or not so business reasons) and the network should not get in the way - costs too much money and overhead.  Generally speaking, the network should never be seen nor heard but "just there".  So accepting this, the next issue is anything device attached to your network can't be trusted, regardless if it actually has your policy on it ...at least initially.  Taking the same mindset from the previous post of doing "what if" with a slight tweak, we're going to add "and I wanted to affect <blank>".  We're going to say the network policy is basic - some sites are blocked, most ports are blocked except the usuals (http, smtp, some other services) and we ask "What if I came in with a laptop/pda/some-wireless-device and plugged it into the network and wanted to affect the entire network?"

That's a hugely vague question isn't it?  The first one that comes to my mind is network speed -- why?  It's fairly easy to flood the bejesus out of a network with multicast packets (refereed to as a multicast/broadcast storm).  I did this once, by total accident while doing a norton ghosting -- meant to select unicast and missed, but it pointed to some flaws in network management, which brings up another point that requires a slight tangent -- not all attacks are intentional. Some of them are completely, totally innocent.  They might be stupid, or misinformed or just downright unknowing, but sometimes it happens and a well protected system will resist these accidental attacks as well.  So, back to the multicast storm - I've started one and tons of junk data is now flooding the network at an amazing rate, taking the system down to a crawl (think 14.4 modem speed).  This fix is easy - simple flood control turned on will limit the effect if not eliminate it (depends on size of the network, infrastructure, etc). 

Ok, cheap shot, that "hole" is plugged, what's my next vector?  Well, I'd would like a login, a username and pass, maybe some network share info so I launch a man in the middle attack and get some unsuspecting user (someone that comes in late and hasn't logged in is ideal) and get some hash values, sids and a username, run my favorite password cracker and gain some entry.  Sound hard?  Nope, I've done it before as a demo, proof of concept and had a secretaries password busted in under 3 minutes.  Even worse, recent advances in hardware and of all things, gaming video cards have made it possible to crack that tougher password MUCH faster.  This is where a decision would have to be made in regards to what you are protecting.  Should you enforce long, complex passwords?  Should you bump your domain to NTLMv2 or kerbrose?  Those are decisions that will have to be weighed and decided per the requirements (cost vs risk) but lets say you do kerbrose but not long passwords so that should protect them a bit more.

Now the passwords are heavy on the encryption (not to be confused with hashing), I can't flood the network anymore, now what?  Oh look, a pc with a hard drive -- let's clone it!  If this doesn't make you wince in pain, I don't know what will.  Notice I didn't say steal it, I said clone.  I'm more interested in the cache of users and passwords on the drive than anything else first and foremost.  The random slew of documents and other junk on the drive is a nice bonus, maybe I can find other apps to attack (we'll get to that later) but for now, I want a copy to see what I can see.  Now, since I'm downright evil, I want to change an HR document and toss it back on the network that clearly has promises that are way out of line (you get a corvette for your 5 year anniversary).

Data's now on a server somewhere, encrypted, so changing stupid stuff isn't easy ...how about a keylogger like I mentioned in the other posts?  I'm going to stop here because I think the point is made -- they're impractical to control in most situations.  Enforcing long passwords is known to increase your helpdesk tickets (see : expensive) -- talk about a hassle but you should get the idea by now.  Their ARE many ways to fix these problems with quarantine networks, 802.11x authentications, IPSec (a GREAT IDEA), radius and others.  If you've never heard of these, look into them, now.  Next post, I want to talk about the touchy subject of policies and how I feel they should be approached.