NOTE: If you have not read parts 1 through 3, please read these before reading this part as this is a continuation of the story begun in the previous sections.
Security is only as tight as the weakest link in your environment. More often than not it's internally where the security holes are created, either inadvertently from carelessness or intentionally from a disgruntled or disillusioned employee. The hardware and software security can be top of the line, but if the human factor doesn't adhere to policy, it may not make any difference. This part follows the IT team for Mighty Modern Marketing as they try to track down a security hole where productivity is taken down through the very tools used to defend and manage the network.
Mighty Modern Marketing HQ - Boston, Massachusetts
Somehow the air inside the building congealed hotter than the heavy, humid swelter wallowing outside. Tevita, sweat running down the sides of his face, fanned himself with an empty binder. He stared at his screen, the image thereon frozen.
"I think one of the servers seized up," he said. Jessica Langley glanced at her Remote Desktop window. The previously blinking text icon in the script she edited no longer blinked, and as she watched the disconnected icon appeared, the remote screen graying-out. She closed it with a quick click of the white on red X.
She took a long drink of water. "If they don't fix the AC soon, I'm going home," she announced.
"They'll have it up soon. Besides, it's never been so quiet here. I only have one system running, and I think I'm approaching something like Zen. Either that or I'm about to pass out."
"Any more missing application tickets?"
Tevita groaned. "Oh yeah. Five so far today. It's like the uninstall faerie ran around randomly touching computers with her magic star-wand. I've taken care of it."
Jessica stood, feeling sodden. "Thanks. I'll check on Bobby to make sure he hasn't suffered from heat stroke."
The server room actually felt cooler despite the cacophony of running servers that reminded her of the sound and feel of a jet engine escalating towards takeoff. Somehow Bobby had created a wind tunnel with large fans, and she felt her hair whip away from her as she stepped directly in the wind's path. She shielded her eyes and walked to the developer's cube area. The pull of the moving air seemed to try and yank her off her feet by her dress-suit jacket. She folded her arms as she stepped into the relative stillness of the cube.
Bobby looked like a wilted plant. He looked up, and sighed. "What, IM down again?"
"Of course not," she responded with a smile. "You holding up in here?"
He shrugged. "I'll survive, though it reminds me of Phoenix, Arizona, except here it's like standing in front of a vat of boiling water. Phoenix is like standing in front of the open door to a blast furnace."
"The SQL Server locked again."
Bobby nodded. "I did a hard reset just a minute ago. I had to open the case and point a fan right at the CPUs. I think it'll stay up this time."
"Good."
Bobby shrugged again. He looked back at his screen, then back up at her. "You need something else?"
"Not really. You want to go to lunch with Tevita and I? The local Italian place has great AC."
"No, I'm good. My lunch cooked itself in this heat, so I ate already."
"Alright. See you later."
When she returned Tevita still sat in front of his computer, sweating profusely. He looked up as she passed by, a frown on his face.
"The facilities guy just passed by," he said as she sat down. "He says someone deliberately messed with the AC. He's fixed and says it'll be up and running any time now."
"Someone sabotaged the AC?" she inquired.
"Yep."
She sighed. "Just when I thought we were done with the underhanded antics."
Tevita nodded. "The AC guy put thick padlocks on all the control panel cases. Too bad we don't have any way to track who goes in and out of that room. A magnetic badge reader would work."
The next hour passed in receding misery as the AC kicked on and began liberating the employees in Might Modern Marketing's Headquarters from oppressive heat. Jessica checked the Altiris Notification Server Logs, ignoring the SQL errors for the times the SQL server seized up. Except for an occasional error where an event arrived for a package already deleted from the Notification Server, the logs looked clean.
"Mrs. Langley," Edgar's dry tones greeted.
Right on cue, she thought. Despite the heat things had been going too smoothly. She turned around and stood.
"Hello Edgar."
"I wanted to let you know that the budget we set aside for the mess with New Nifty Networks is on target, thanks to everyone's diligence," he said, eyes briefly moving down to the papers clasped in his hands. "We've even been able to devote some resources to Legal. It won't be long before we can put this whole ordeal behind us."
Tevita rolled over in his chair. "What, and I've done nothing?" The expression on his face and tone of his voice took away any sting of the words.
"Both of you have performed exceptionally," Edgar said, shuffling the papers in his hands. "Though it's not official, I believe you will both receive a merit increases for your performances."
"You're kidding!"
"I do not kid, Mr. Tatafu."
"So be honest, was it hard to allow that through?"
The barest hint of a smile touched the corners of Edgar's thin lips. "Yes, adding my approval felt much like pulling out stitches. Now don't you both have work to do?"
He shuffled away, his posture a little bent.
Tevita gave Jessica a thumbs up. "Ha! So some good is coming from this whole competition nightmare."
"Perhaps," she said noncommittally, having trouble suppressing a smile. "It's not over yet, not until this school-friend of Mr. Johnson's finally gives up. I'm hoping it happens soon so we can go back to normal."
"Normal?" countered Tevita. "When is IT work normal? It changes faster than the seasons."
She opened her mouth to respond when her telephone rang. The caller ID noted Johnson. She quickly picked up the handset.
"Mighty Modern Marketing, this is Jessica," she greeted as cheerily as she could.
"Jessica, this is Mr. Johnson," greeted the CEO. "Can you please come up to my office immediately? We have a sensitive matter to discuss."
"Of course. I'll be up right away."
"Please have Tevita join us as well. See you in a minute."
"Will do. Thanks. Bye."
When she looked up Tevita had his day planner in one hand, the other locking his computers.
"Ready for lunch?" he inquired.
"Change of plans," she said, rising. "Mr. Johnson wants to see us in his office immediately."
Tevita stared at her for a moment, then tossed in planner onto his chair, a wry smile twisting his mouth. "Wonderful. Somehow even though everything he says sounds enthusiastic and wonderful, we end up with a pile of work."
"Job security," she responded.
The CEO's office, remarkably, looked very much like the other offices in the entire building. She glanced through the window on the door, then knocked politely. Mr. Johnson, looking as refreshed and lively as ever, waved her in. The building continued to cool, but still hovered near eighty degrees. Though she felt sweaty and rumpled, Mr. Johnson appeared completely unaffected by the heat, his hair perfectly combed and his clothing pressed and clean. He smiled warmly as they sat down in the two chairs set before his desk.
A man sat next to him, and though she knew she should know who he was, she couldn't place his face in her memory.
"Thank you for coming up so quickly," he said, rising to shake their hands. "This is Dan Williams, Chief Security Officer."
She said hello, shaking Dan's hand. Funny how she knew the name so well from countless emails and conference calls. She felt she knew him despite only seeing him on rare occasions, all from electronic or audio correspondence. Somehow she'd never put that voice with this face.
"Jessica, Tevita," he said in way of greeting in that familiar voice. "We need to meet more often, especially with how much I depend on both of you."
"Definitely," Tevita responded as he sat down.
Jessica had trouble controlling a laugh that threatened to escape. "Mr. Williams, you don't look like I imagined."
Dan smiled, amusement dancing in his eyes. "What did you think I looked like?"
She blushed. "Well... you sound like Chuck Norris. But you're more like..."
Mr. Johnson started. "Chuck...?" He burst into laughter. Tevita's booming laughter joined in as Dan's smile grew wry. Jessica wondered if someone could faint from embarrassment, and imagined she looked as red as a tomato.
"Sorry, I like yoga, but not much of a martial arts guy," Dan said, trying not to laugh.
"Alright," Johnson said with a deep calming breath. "Without further preamble, I'll let Dan discuss the situation."
Dan nodded. "As you are well aware of our situation with our friends over at New Nifty Networks, what I'm about to show you shouldn't come as much of a surprise. We have a plant."
"A plant?" Tevita inquired. "Like a house plant?"
Jessica covertly elbowed him in the ribs as he chuckled.
Dan continued, undaunted. "Someone here is feeding information to our competitor. We're tracking this using email, etc, but the trail is long and convoluted. We think this spy, for lack of a better term, is also sabotaging our business here. While we're pretty sure he or she disabled the air conditioning, we don't have enough data to even begin to narrow down who it could be. There are other things happening that I believe you'll be able to help us with."
"You see, we believe he's somehow obtain access to your management tools. We've had increased cases where vital software has been mysteriously uninstalled from systems."
Jessica exchanged a look with Tevita. "We have had a large amount of emergency software deployment tickets," she said.
"The tickets always say the shortcut is missing," Tevita added.
"Exactly," Dan continued. "Depending on the user, this can severely hamper our productivity. Since some of the computers are locked behind office doors I'm assuming they're using management software to accomplish this. Is Altiris capable of this?"
"Yes," Jessica answered. "However you need rights to do anything."
"And that will be to our advantage. Please look through any auditing or logging done by Altiris and see if you can figure out how this individual is uninstalling applications, what credentials he or she is using. Any evidence or data you capture please forward to me."
"We will," Tevita responded.
Back at her desk, Jessica pulled up the Altiris Console. Events would allow her to see if any Software Delivery or similar jobs had been schedule to run on the affected systems. They had uninstall-programs setup for most of their managed applications. She browsed in the Altiris Console under View, Solutions, Software Delivery, Tasks, Windows, Software Delivery Tasks. The first task she choose uninstalled their accounting software, one application the spy or whatever he or she was liked to target. She did a quick scan to ensure no new tasks showed up.
She clicked on the Status tab. Once the tab loaded she used the dropdown labeled, "Display computers on which this task ran:" to set it to "All". Once the grid loaded she clicked on the top of the "Attempt Time" column to sort by date, and looked at the last week's runs. Only three showed up, and all of them had been scheduled by either her or Tevita.
"Any luck?" Tevita asked, his head rising above his cube's wall.
"Nothing yet. I guess it's possible they created a task and then deleted it after each execution."
"Yeah, but there's an ItemDeleted table that we can look at to see if that's occurred."
He walked into her cube and sat down on the spare chair. He used her secondary system to open SQL Enterprise Manager and launch a query window. He used the query:.
SELECT ItemName FROM ItemDeleted
WHERE ItemName LIKE '%Accounting%'
AND ItemClassGuid = 'D922981C-B8E7-40EE-B6BD-1E6CB354C9FE'
"This class-guid here represents Software Delivery Tasks," Tevita explained as he ran the query. "Nope, nothing. Let me try one more query, this one more generic..."
SELECT * FROM ItemDeleted
WHERE ItemClassGuid = 'D922981C-B8E7-40EE-B6BD-1E6CB354C9FE'
ORDER BY DeletedDate
"Okay," he continued. "I don't think he used Software Delivery. I don't see any Tasks deleted recently enough to account for all the uninstalls reported."
Jessica nodded. "Hmm. If he didn't use this, then the only other two options I can think of are Deployment Server and Task Server."
Tevita smiled. "No chance with Deployment Server. I've changed the management credentials recently and blocked everyone else out. Since only you and I use it, I figured with all the security stuff going on I'd better be safe, not sorry."
She blinked. "I didn't know you'd locked... I guess DS is your baby."
"You know it. So, do you think Task Server could really be it? Wouldn't he need to know scripting?"
"Not necessarily. There's a 'Deliver Software' task available that can run any Package-Program we have available in Software Delivery. Let me look through here... I don't see any Jobs or Task Server tasks that reference the uninstall program. The ItemDeleted would have deletions if he'd done that. But you used the standard Software Delivery Tasks, right? Can you do one for Task Server Tasks?"
Tevita scratched his chin. "I think so. In fact we don't delete things that often. Let's try this..."
SELECT * FROM ItemDeleted
ORDER BY DeletedDate
"Okay. A few deletions, but they all look straight-forward. Computers purged, a couple of Software Portal Requests... but nothing that looks like a Task Server task. Wait... what's this? Bobby deleted a task named WOfW? This was last week. If I didn't know better, I'd say he's been playing with Software Delivery and Worlds Of Warcraft."
Jessica grinned. "You think he wants to roll it out company-wide? I can see it now. 'Productivity hits an all-time low, though the average level of Mighty Modern Marketing exceeds fifty'!"
Tevita laughed, pointing at her. "I didn't know you knew enough about gaming to make a joke like that!"
"Right. Like you don't bring it up every week. It was bound to rub off on me at least a little."
"This looks clean. That doesn't make sense. Perhaps Dan's wrong, and whoever's responsible for this isn't using Altiris."
Jessica shook her head. "He's right, I don't think this could be done at this rate any other way. Either they're using a different method, or they have intimate knowledge of Altiris."
Tevita leaned back, looking up at the ceiling. Jessica placed a fingertip on her lips, thinking furiously. If Software Delivery and Task Server wasn't used, and the evidence suggested such, what other method could you use to remove software? They planned on using PC Anywhere for remote control, but it wasn't up and running yet in the Altiris environment. Tevita used the simple Remote Control feature in Deployment Server, and she still used Carbon Copy. She'd disabled access to it in Altiris and used the stand-alone product that only existed on her system for security reasons. Could they have a rogue copy of Carbon Copy installed...?
"What about vPro?" Tevita inquired abruptly, interrupting her thoughts.
"Serial-Over-LAN doesn't work in Windows currently," she responded. "No other remote application abilities... it's really considered an out of band management interface."
"Yeah, but if you built a remote tool into an ISO, using IDER, couldn't you use that?"
"In theory, yes... In fact if you ran an IDE redirect with something like that you could do whatever you wanted to the system."
"Exactly."
Jessica smiled. "And we have an actual activity log."
In the Altiris Console she browsed in View, Solutions, Real-Time Console Infrastructure, Tools, and clicked on "Activity Log". She scanned down the entries.
"Well, well," Tevita said, leaning forward. "Our friend has been busy."
The icon showing a redirection session appears like two plugs plugged together. The other pertinent columns appeared as "client": showing what computer by IP Address is being accessed, "user": what credentials were used to execute the action, Host: as in the hostname of the destination computer, Description: showing the path to the ISO, and lastly Technology showing what method was used. Multiple RTSM sessions showed a redirection to an ISO labeled: RemoteControl.iso. The path led to a UNC share.
Jessica pulled up the contents. "Jackpot."
Tevita shook his head. "Too easy. If they know how to create ISOs of that nature and use RTSM to deploy them, did they actually think there wouldn't be some sort of logging?"
"I don't know. RTSM is unique in that it isn't dependent on an agent at all, so there is no logging client-side. Still... perhaps whoever's doing this didn't create the ISOs and is just in charge of running it. And we aren't done yet. Note that the User is all listed as admin. This means he or she is using the AMT credentials available on all systems."
"Oh. Can't exactly blame the invisible AMT admin..."
"No, but we can change the password easily. Before I do that, I'll send Dan the information on the share. That share should have some sort of user footprint his team can get to."
She quickly sent the email with all the information. She explained that she would change the admin password so that this rogue user could no longer use this method. After sending it she browsed in the Altiris Console to View, Solutions, Out of Band Management, Configuration, Provisioning, Configuration Service Settings, and selected Provision Profiles. She double-clicked on the profile they used for all systems. Under the Administrator Credentials section to the right, she changed the password under the Manual radial option. She clicked OK to save the changes.
Next she browsed back up to Provisioning, and into Intel AMT Systems, selecting the node Intel AMT Systems. When the frame loaded, she clicked on the icon on the icon bar that looked like a system with refresh green arrows surrounding it, labeled: Re-provision. She hadn't selected any systems so she selected the only live option, "All systems". She clicked OK to execute.
"That should do it," she said aloud.
"A re-provision?" Tevita asked.
"It's a simple way to send down the changes in a profile to the systems. It'll take some time to cycle through all the systems, but soon all systems will have the new AMT admin password set."
Tevita leaned back. "So we're done?"
"For now, unless you have any ideas for further tracking this guy...?"
The rest of the day proceeded smoothly, with only one more reinstall helpdesk ticket coming in. By the next day no new tickets had developed, and things had settled down to normal. Dan said he had enough to identify the perpetrator, but said no more on the subject.
He did say one thing very firmly. "All the security we can muster is worthless if those with the right privileges are not careful with their credentials."
Further, he requested they review their procedures concerning the AMT admin password. Was it written down anywhere? Did they ever say it out-loud? Though neither knew how the password got originally stolen, the increased care with which they handled passwords became a driving program within the company. Security was everyone's job.
At the end of the week, as Jessica headed away from Boston on the Redline Commuter Train, she hoped they'd seen the end of the targeted attacks, but in her mind she already looked through her current policies and processes to see where she could increase security.
End Part IV
Altiris provided not only an audit trail to track potential rogue usage of RTSM, but it also provided a very quick and efficient way to change security within AMT when somehow the credentials are compromised. Is this the end of the threats against Mighty Modern Marketing? Only time will tell.
Altiris and Intel vPro Use Cases, Part 3: Hardware
Altiris and Intel vPro Use Cases, Part 5: Tightening AMT Security