German Portal



 About RMP

About themanager



Attacks from within can be worse than those from without

By Paul Marcellin


Organisations spend significant time, money and effort ensuring that their IT infrastructure is as secure as possible, working tirelessly to reduce threats of virus infection, malicious attacks or intrusions. Should an organisation’s IT security be breached, the potential damage that can be caused could be mild or it could be crippling. The assumption is that outsiders attack companies. Wrong, says PAUL MARCELLIN, MD of PhiBlue Technologies.


Up to 80% of all attacks against IT systems originate from the internal network, carried out by trusted employees, associates, or partners who perpetrate the attacks either out of curiosity, to compete against fellow employees, or deliberately to harm the company or its employees.

Worse yet, tools that can be used to initiate attacks are freely available on the Internet for anyone to download, and the complexities of these tools vary, providing the less technically minded person with the means to become an unsuspecting threat to the organisation. In the hands of technically minded people, these tools can be used to devastating affect.


Network communication

A computer connected to an Ethernet local area network (LAN) has two addresses, the address of the network card, which is referred to as the MAC address, and the IP address.

The MAC, or Mandatory Access Control address is a unique and unchangeable address that is stored on the network card of each individual computer.

IP (Internet Protocol) is a protocol used by applications, independent of the network technology operating underneath it. Each computer on a network must have a unique IP address to enable communication around the network.

The Ethernet builds “frames” of data with an Ethernet header containing the MAC address and the source of the destination computer. IP communicates by constructing “packets”, which the Ethernet splits into frames, adding an Ethernet header for delivery. These frames are sent down the cable to the switch. The switch then decides which port to send the frames to by comparing the destination address to an internal table that maps port numbers to MAC addresses.

When an Ethernet frame is constructed, it must be built from an IP packet, but at the time of construction the Ethernet infrastructure has no idea what the MAC address of the destination machine is. It needs this MAC address to create the Ethernet header.


The ARP vulnerability

ARP, or Address Resolution Protocol, enables the Ethernet protocol to find the required MAC address of the destination machine.

ARP works by sending out “ARP request” packets asking the question: “Is your IP address x.x.x.x? If so, send your MAC back to me.” These request packets are broadcast to all computers on the network, which then check to see if they are currently assigned that specified IP. The one that is assigned the queried address returns an ARP reply containing its MAC address.

To minimise the number of ARP requests being broadcast, operating systems keep a cache of ARP replies and every time an ARP reply is received the information in this cache is updated with the new IP/MAC association.

This is where the hole opens up, presenting internal attackers who have the appropriate tools and the desire with the opportunity to launch their attacks through ARP spoofing.

In essence, ARP spoofing involves constructing forged ARP replies. By sending these forged replies, a target computer can be convinced to send frames destined for one computer to another. When done properly, the organisation and its network are none the wiser about the redirection of frames.

In this way, attackers can disturb, intercept, record or manipulate the entire communication of a single machine or a complete network segment, regardless of whether information is transferred in encrypted packages or not. Significantly, ARP spoofing and attacks are practically untraceable.



ARP presents any employee with the loophole needed to “look over the shoulder” of his neighbour, colleague, supervisor or manager. By conducting ARP attacks, they can watch network traffic or alter data running over that network.

Using fake ARP messages, an attacker can divert all communication between two machines, with the result that all traffic is exchanged via their PC. As the man in the middle, they can then run denial of service (DoS) attacks, they can intercept and manipulate data, or they can collect passwords.

A disgruntled employee, with the minimal know-how needed to launch an ARP attack on his company’s Ethernet network and access to download facilities to acquire the free ARP attack software, can intercept traffic between the network and the CEO's PC and manipulate the data in such a way that there can be massive damage to the company. While doing this, he can also make it appear that the changes or errors suddenly reflect in the company’s data were made by the CEO, effectively creating an audit trail that leads directly to the CEO’s PC.

In another instance, an employee can spoof the network to monitor e-mails between several colleagues with whom there is conflict, or to view the salaries of his colleagues, be it to satisfy his curiosity or to force a request for a salary increase.

Otherwise an employee (or any other trusted associate given access to the network) could monitor sensitive material such as accounting data, personal records, intellectual property, financial information or strategic plans and leak this information to competing organisations for kickbacks.

The employee could also simply be watching the network to satisfy his curiosity.

Whatever the reason an employee may have for attacking his company’s network, it is important that organisations begin to realise they are vulnerable to such internal attacks and that these attacks can be devastating. The problem is addressable, but organisations choose to leave themselves open to such attacks by denying the problem. Even worse, vendors convince their clients that this problem is either addressed in the solution they have implemented, which is almost always not the case, or that there is no problem.

To what extent are you prepared to put your organisation at risk simply because you do not want to admit to your CEO that you have missed something, or that you already have 14 problems to deal with and you do not want to add another one to that list? Look at it from this perspective: what do you think the consequences will be if an ARP attack does brings your company to its knees?





Paul Marcellin, PhiBlue Technologies, (011) 706 0339,

Rashmika Jeewa, FHC Strategic Communications, (011) 608 1228,