This is a case where the IT manager had an idea that the development team was not properly securing the HR data transfers between their legacy system and the ERP system. There was a perceived lack of understanding of the data privacy implications during the data updates between the systems.
The IT manager asked that I perform a packet analysis session with the intention of intercepting data to/from the ERP backend database servers. The purpose of this packet analysis session is to determine if the data/ information captured to/from the ERP servers places the organization at risk from eaves dropping and other security concerns, specifically in dealing with personal employee information.
Identifying the problem
Making sure to have a documented sign-off from the manager requesting that I purposefully look for sensitive data being transferred to/from the system, I began with connecting the analyzer in front of the ERP servers.
After understanding the traffic paths of the systems in question, I looked at a few snapshots of data from the analyzer. Not knowing what exactly to expect, I setup some very detailed capture filters (based upon some initial data captures) and let the analyzer run for five days. When I returned, I had captured multiple files of data, and began looking through the data payloads within the captured packets.
It was clear that the data transfers between the ERP system and the legacy system were going over FTP in clear text. Not only was I able to capture the login credentials required to initiate the transfer, but the data being transferred between the systems as well.
In many cases, people know that sensitive data can be accessed on their internal systems, but it is a far more imposing to show the decision makers their personal information. So in addition to showing the root level passwords captured while the server was logging onto the remote system, I printed out a single copy of the payroll details for both the IT manager and the CEO of the company. Payroll information related to gross salary, deductions, taxes, and net payroll numbers for this pay period and year to date were on this document. This included the SSN, birthdate, position, race, hire date, employee ID was included as well. It didn’t take long for the IT manager to understand the implications of this while looking at all the numbers printed on this sheet, which perfectly matched his latest paystub.
In addition to being able to see this information, other security implications were immediately obvious. These included – 1) the logon credentials of the systems and people logging into the system to initiate the file transfer, this allowed the potential for data file and OS file level manipulation, and 2) the file structure was visible when the server to server transfer was occurring. You could see the location and name of the payroll file for the entire organization.
Problem resolved
Recommendations were immediately made to shutdown the FTP services on this and other servers within the computer room. Secure Shell (SSH) was initially implemented and further investigation was conducted to determine and appropriate long term solution.
