Internal Attacker Detected: Part 3

Tim said, “Mack, like you suggested, I connected to her new PC over the network and searched her hard drive for the hacker tools–they’re back, plus a few new ones. And her antivirus is turned off again.”

This is a multi-part series. See Internal Attacker Detected: Part 1 and Internal Attacker Detected: Part 2.

After discussing my action plan with the CIO, Legal, and Human Resources, I met with the contractor’s manager, Sue, and explained the situation. Both the hacking tools and turning off a security service were serious violations of security policy. I had recommended the person be walked out and told her that the CIO, Legal, and HR agreed.

Sue was surprised at the news, but agreed that Lynn had to be let go. While Sue left to get Lynn, I stayed in the conference room and called the HR rep, Dennis, who arrived shortly before Sue returned with Lynn.

Lynn looked puzzled as she entered the room, sitting in the first chair next to the door; Sue sat next to her.

Lynn’s manager introduced Dennis as the manager of employee relations and me as the manager of security. I greeted Lynn and asked her if she had any idea why she was invited to the meeting.

“No,” Lynn said, looking calm, but I noticed that she swallowed.

“I have a couple of questions regarding some issues we noticed with your old desktop,” I began. “Does anyone else use that desktop besides you?”

“No,” Lynn said. “What kind of issues?”

I ignored her question. “How about the new desktop you were provided a few days ago?”

“Not that I’m aware of,” Lynn replied, swallowing again. “Why do you ask?”

I again ignored her question. “Did you have admin rights on your old desktop or the new one?” I probed.

“No,” Lynn said.

I turned to her manager and asked, “Does Lynn need admin rights to perform her job on the help desk?”

“No one on the help desk needs or should have admin rights,” Lynn’s manager said. I knew the manager was right as I had Tim check each of the help desk desktops the day before. No one else has those rights, not even the manager.

As I watched Lynn’s face, I said, “Well, Lynn,” we noticed that the antivirus service was disabled on your old desktop, and that requires admin rights.” I paused and wait for a response. An awkward minute of silence passed. Lynn just looked at me blankly and calmly.

Finally, I said, “And 4 days after you were provided a new desktop, the antivirus service on that box was disabled. Do you have any idea why this happened on your old computer or your new computer?

“It’s news to me,” Lynn said. “I just come in, do my job, and go home. I told you, I don’t have admin rights.”

“What can you tell me about these files,” I asked, handing her a paper listing of the hacking tools found on her computer.

“Nothing,” she said, as she ran her hand through her long, red hair. “Why?”

“We found some of them on your old computer and all of them on your new computer,” I said. “They’re hacking tools. The antivirus software would have eliminated them, but it was disabled. Both are a violation of security policy and could lead to dismissal,” I noted, raising the stakes. “Do you have anything to say?”

“No, I don’t, “she said, eyeing her manager for clues.

I turned to Sue and Dennis. “Do you two have any questions for Lynn?” Both shook their head.

“Sue and Dennis will take it from here,” I said, as I rose and left the room.

Shortly afterward, they walked Lynn out the front door and the company. But I still had work to do.

See the conclusion in Internal Attacker Detected: Conclusion

Read Internal Attacker Detected: Part 1, Internal Attacker Detected: Part 2, and Internal Attacker Detected: Part 3.

4 Comments

Filed under Case Files, Security, Security Scout

4 responses to “Internal Attacker Detected: Part 3

  1. spike

    Hi,
    This is a great series. Can’t wait for the conclusion!

    Like

  2. coffeeking

    Can’t wait for Part 4, it is due, please post!!!

    Like

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s