Control Delegated Responsibility

It is a common practice in corporations to delegate certain responsibility down the chain of command. However, when such delegation is left unchecked by any formal or technical mechanism, it can become abused.


Here is a example scenario:

I was looking into a DNS configuration for a company DemoCorp, to assist in proper set-up. DemoCorp is outsourcing the DNS service to their ISP, and I was tasked to verify that all is OK.

As part of the process, i did a reverse lookup of all IP addresses published in the company's domain to check whether reverse lookup is correctly set-up. DemoCorp is publishing the following hosts

  • smtp - for smtp delivery, as a smtp relay and antivirus host, and is pointing to 10.10.5.1
  • mail - for e-mail , and is pointing to 10.10.8.1
  • pop3 - for pop3 access, if someone forgets the generic mail host, and is pointing to 10.10.8.1
  • www - for the web site, and is pointing to 10.10.12.10
  • www1 - which they use for testing purposes and is pointing to 192.168.10.15

When I did a reverse lookup of 192.168.10.15 i got a very peculiar response:

  • On the first query, the IP address 192.168.10.15 resolved to www1.democorp1.com, as expected. But from then on, things went downhill:
  • On the second query, the IP address 192.168.10.15 resolved to http://www.other_domain.com/
  • On the third, it resolved to http://www.some_other_domain.net/...
  • and this went on for another 5 domains.

All other domains had nothing to do with DemoCorp, actually some were resembling companies from other industries with no affiliation to DemoCorp. Suspecting an error at the provider I did a WHOIS check of all peculiar domains in the query to identify thir owner. The registrant was Democorp's ISP, but the Administrative Contact was indeed DemoCorp.

It is not unusual for a company to reserve domains for future use, so I consulted the CTO of DemoCorp.

Indeed, DemoCorp had the strategy to reserve domains, and for that reason they had an open contract with the ISP to register domains and provide hosting in the name of Democorp.

But with further verification with the Chief Marketing Officer, it was concluded that the domains under scrutiny were not planned for products, nor were requested by the business.

The responsibility to communicate with the ISP was delegated to a senior systems administrator in the IT, but he was on vacation and couldn't be consulted.

I explained that this may be a an error at the ISP, so the CTO called up the ISP and asked for an explanation. The response was received within 15 minutes, so i was still present to witness to it. The response shocked everyone present in the CTOs office:

  • The ISP produced requests for registration of all domain names, received as scanned documents via e-mail from DemoCorps mail server.
  • All scans were signed by the delegated senior systems administrator.
  • All registrations were invoiced on the open contract for domain registration.
  • The ISP also produced headers of all emails through which the requests were sent. Simple check confirmed that they were indeed sent from the IP address and hostname of the Delegated system admin.
  • An informal call followed from the Account manager of the ISP. She explained that they have also received other registration requests, matched with de-registration requests in which the domains were made available to other companies. She was preparing the full documentation for delivery.

At this point, I excused myself, since what was going to happen next was entirely internal matter.

Analysis:

Obviously, the job of administrative and technical contact was given to the System Admin because higher management trusted him.

  • The problem was that there was no control or second authority to monitor or verify his activities, probably since it was deemed a safe and cheap service. This gave the System Admin freedom to capture and sell domains. Since he did this at the expense and in the name of Democorp, he tarnished the reputation of the company, and probably earned them legal actions for brand theft.
  • Furthermore, this escalated another issue: The incident was caused by a Systems Admin - a person who can access any number of confidential or business data, without much control. So unless the audit system of DemoCorp is very good, what other illegal activities were done by the system admin will probably remain an unanswered question.

Conclusion:

Delegation of authority is a good corporate practice. But full and utter trust is bad corporate practice. So, delegation of authority should always be paired with audit, verification and/or oversight controls.


Talkback and comments are most welcome

No comments:

Designed by Posicionamiento Web