Your Own Users? Hacking?

Say it isn't so... But the only way to know for sure is by monitoring their HTTP traffic (a.k.a. spying)

4:00 PM -- A few months back, my administrator was looking through our logs and found out that one of the biggest companies on earth was trying to hack us.

You've heard of the company -- it's huge. On any normal day of the week, I'd shrug it off because the attack was unsuccessful, and given the sheer volume of attacks we see per day, it's almost inconsequential. There's one thing that sets this apart from every other attack I've seen: It was coming from the company's corporate proxy.

If I was a malicious person I could have easily made a stink out of it. Since it's doubtful the company logs who connects through the proxy to what Web servers at any given time, it's likely that no culprits would have been caught. Therefore I could have said that Company X had both attempted hacks against us and hadn't been able to produce suspects. The PR headaches from that sort of story alone could be huge!

All of this got me thinking: Have we gotten to an age where we need to protect our companies from our own users, rather than protect our users from the Internet? Perhaps an inverse content filter or Web application firewall (WAF) would do the trick? This reminds me of how companies adopted egress filtering after all the large scale worms that hit the Internet in the last five to seven years. Why wouldn't you treat your HTTP traffic the same way? Why would you allow your corporate users to risk your company's reputation by attempting to hack into them?

The short answer is it's incredibly complex to stop these sort of attacks. If we could do it with a WAF we would have done so long ago, only in reverse to protect our Web servers from the Internet.

The only thing that's left is to identify a scapegoat. Using a corporate proxy server is a good concept because it can log who sent the data and at what time for forensics purposes. Keeping that information around for months or even a year or more might prove very valuable in industrial espionage cases, as well as PR nuclear bombs like the one above. Maybe this signals a movement of spying on our employees -- regardless, it's time to start thinking about logging that traffic.

— RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F* Special to Dark Reading