Minutes later, one of the security techs met me at Lynn’s cube with a box that we quickly filled with the contents of her desk: files, CDs, DVDs, notedpads, books, etc. The other help desk analysts in adjacent cubes looked at us with silent questions on their faces.
I noticed that one of them was a new employee that had attended my security presentation in employee orientation last week, so he knew who I was. That meant rumors would spread quickly. While I never enjoyed walkouts, they reminded the staff that security incidents have consequences.
Others on my team had already imaged the old computer and had started imaging the new one across the network as soon as my meeting with Lynn began (by design, she was not told of the meeting beforehand). Both images would be sent off to the Forensics team.
Reviewing the Evidence
After everything in the box from Lynn’s desk was cataloged, the security tech and I started reviewing it. The most interesting thing I noticed was the number of Linux distribution CDs she had, including Backtrack and Auditor (a older version that predated Backtrack). Those definitely weren’t required for her job, and as an contractor, when would she have time to play with them at work? And what targets would she use?
I checked the badge logs has shown that Lynn had only entered and left the building at expected times. She’d never attempted to come in on a weekend or holiday. And she had never logged in remotely even though she had the capability.
Nothing suspicious turned up in her files or other belongings, other than a number of UNIX books that she’d brought to work– even though she’d never touch any UNIX boxes in her position.
A day later, I was granted access to a copy of her email. Not much there–regular business items, and way too much personal stuff, which is usually the case. I frowned and thought that no matter how much you mention this in training and at other times throughout the year, people continue to trust their most intimate details to their hard disk, emails, internal chats, web site comments, all of which either are considered company property or pass through the company network.
In the end, no evidence that Lynn did anything malicious was discovered, which was a relief. We probably caught her in time, but only by a fluke. What if we hadn’t refreshed her computer when we did?
I had already asked the malware team to file a report as to why they weren’t alerted that her antivirus service was disabled, and to determine how many other computers attached to the network had the same issue. Other types of alerts probably weren’t configured either, but I’ll have to tackle that later.
Lynn’s email box did contain one interesting item, an email containing a URL that granted administrative access to an internal system without any authentication, which also meant that you couldn’t trace the access back to an account or any individual. A dangerous situation and a critical internal control problem.
The email had been sent by another help desk tech to all the techs, and Sue, the help desk manager, had been CC’d on it. She later told me that the URL had existed since the application was created (internally) and that’s how ALL administrative work was performed on that application.
I shook my head, trying to understand how a system that impacted the company’s financials remained under the covers this long, and no one had called it out, including the manager.
“It just never occurred to me,” Sue told me. “But now that you brought it to my attention, I’ll put in a request to have it changed.”
“Please make that a priority request, and I’ll talk to a couple people to ensure it gets the attention it needs,” I said. “Especially since the URL works from the Internet, right through the firewall.”