I can't convince my company's management that security risks from internal users are real. The managers always respond, "It would take a whiz-kid hacker to do that. Our people aren't that technical. Besides, we trust our employees." How can I convince them of the danger?
Unfortunately, dishonest employees cause far greater losses than outside attackers. Magazines such as Internal Auditor offer frightening statistics and vivid horror stories. To convince managers that little technical skill is required to do great damage, why not organize a brief but high-impact seminar for managers that features some popular shrink-wrapped cracker tools?
You need a small, isolated LAN with two or three computers onto which you can load these tools. Start by demonstrating how easily nontechnical users can use @Stake's L0phtCrack to sniff and crack passwords from the network. Next, show them how easily any user can use the Ntpasswd utility to break into a laptop (see "Win2K Password Protection," http://www.win2000mag.com, InstantDoc ID 15892 for information about protecting Windows 2000 passwords).
Ntpasswd is a Linux boot 3.5" disk. When you boot the utility on a stolen laptop, the program displays a list of local user accounts, including the Administrator account. Simply select the Administrator account and enter a new password. The Ntpasswd utility updates the user's record in the SAM with the new password. Then, reboot Win2K and log on.
Have one of the attendees open Microsoft Outlook Express and play Whackamole from an email message you placed in Outlook before the demonstration. Enjoy observing the managers' shocked faces as they watch you take control of the computer from across the room. If you're also concerned about your Web security, show your managers some defaced Web sites, which you can find at http://defaced.alldas.de.