Internal Attacker Detected: Part 1

A while back when I worked in IT security, an internal attacker popped up on our radar…

I answered the phone and heard a tech from the anti-malware team say, “I think we have a problem, Mack. Got some time to come down and see what I found?”

A few minutes later, I was 5 floors down, looking at a freshly provisioned desktop. I’d been the security manager of this company for 2 years now, and people called me about little things more often–due to the employee orientation program I started and other things I’d done to raise security awareness.

But something told this tech that this little thing wasn’t technically little.

“What do you have, Tim?” I asked, as he smiled wide and pointed to the screen.

“I just imaged this new desktop for someone, and the malware alarms went off when I copied their documents from their current PC over to the new one. See?”

Tim pointed to a few files that the malware filter refused to transfer.

Hacking Tools

The files were obviously hacking tools. “I noticed that her antivirus software on her current box is not running; she turned it off,” Tim snickered. “As you know, we don’t allow users to have admin rights to their computers, so she hacked the admin password to turn off the antivirus. What do you want me to do, Mack? ”

“Who is it,” I asked.

“A woman named Lynn. Guess what else?” Tim asked.

“You met her last week at the company zoo outing and she refused to date you?” I teased.

”Come on, Mack, be serious. She’s a contractor.”

“Tim, I’m not aware of any company policy against dating contractors,” I said with a chuckle.

“Mack, let it go,” Tim insisted before he continued. “Besides, contractors don’t attend company picnics,” Tim retorted, rolling his eyes. “Anyway, she’s been here about 6 months.”

“What’s her job? Ten bucks says she’s a techie.”

Tim shook his head. “I won’t take that bet. She’s a help desk analyst that deals directly with customers who call about purchases on the Ecommerce system.  I also queried the company wiki, and she’s a coder also; she posted that she writes scripts for internal use by the department. Not a typical user. She has no Linkedin page or any presence on the ‘net that I could find. Not even on Pipl.”

I frowned and thought for a minute.

“Great work, Tim. Go ahead and give her the new PC, but act like everything is normal–don’t mention what you found. We’ll set a little trap.”

Read Internal Attacker Detected: Part 2


Filed under Case Files, Security, Security Scout

3 responses to “Internal Attacker Detected: Part 1

  1. Santosh Kaimal

    The link to the attacker 2 post doesn’t work.


  2. Pingback: Top 10 Reasons Why Being an IT Auditor is So Hard | ITauditSecurity

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.