Minutes later, one of the security techs met me at Lynn’s cube with a box that we quickly filled with the contents of her desk: files, CDs, DVDs, notedpads, books, etc. The other help desk analysts in adjacent cubes looked at us with silent questions on their faces.
I noticed that one of them was a new employee that had attended my security presentation in employee orientation last week, so he knew who I was. That meant rumors would spread quickly. While I never enjoyed walkouts, they reminded the staff that security incidents have consequences.
This is a multi-part series. See Internal Attacker Detected: Part 1, Internal Attacker Detected: Part 2, and Internal Attacker Detected: Part 3.
Others on my team had already imaged the old computer and had started imaging the new one across the network as soon as my meeting with Lynn began (by design, she was not told of the meeting beforehand). Both images would be sent off to the Forensics team.
Tim said, “Mack, like you suggested, I connected to her new PC over the network and searched her hard drive for the hacker tools–they’re back, plus a few new ones. And her antivirus is turned off again.”
This is a multi-part series. See Internal Attacker Detected: Part 1 and Internal Attacker Detected: Part 2.
After discussing my action plan with the CIO, Legal, and Human Resources, I met with the contractor’s manager, Sue, and explained the situation. Both the hacking tools and turning off a security service were serious violations of security policy. I had recommended the person be walked out and told her that the CIO, Legal, and HR agreed.
Two days later, I walked up to the well organized desk of Tim, the malware tech that told me about the hacking tools that he’d found on a contractor’s PC.
“Tim, did you find any bear paw in the trap we set?”
This is a multi-part series. See Internal Attacker Detected: Part 1.
Tim turned around, and I could immediately tell he was not happy. His jaw was tight, his hair was clumped, and his blurry eyes told that he had not been to bed in the past 24 hours.
A while back when I worked in IT security, an internal attacker popped up on our radar…
I answered the phone and heard a tech from the anti-malware team say, “I think we have a problem, Mack. Got some time to come down and see what I found?”
Remember the quote about the “attacker’s perspective?” No one identified the issue in the original quote, but I described it in my update in the original post. Check it out.
I don’t like to pick bones with my fellow ISACAeans, but when I saw this in the Journal recently, I had to react. Can you pick out the problem?