We have a rogue user who knows more than she should. She can grant herself and other users the authority to access files that are supposed to be secured. Does anyone know how we can monitor her activity or go back and review what she has done? is there anything that we can do? We think she may be using a different User ID. There are several we believe she may be using and we have changed those passwords. She knows we're on to her and probably won't do anything for a while. In the past she has made the comment "if you knew what I was doing, you'd take it away from me." Does anyone have any suggestions?
TIPS & ADVICE|
Amen to the pen testing. Jeremy is right on the mark there. An internal security analysis would reveal whatever weakness this user is exploiting.
Also, I feel guilty just telling you to get a consultant and not offering any technical advice, so here it is.
Assuming your Layer 2 network is a Cisco or other SPAN compliant vendor this will likely reveal what they are doing:
Date Sent: 07 Nov 2005
I think we tend to forget the non technical solutions. The thing I would do is make sure that HR is on board with the fact that circumventing security is a fireable offense, then take the offending employee in to HR and ask her what she is doing, how she is doing it and why she is doing it. If she doesn't answer all three and agree to stop, fire her on the spot.
Overall, very good suggestions so far. Let me try to outline:
Date Sent: 07 Nov 2005
To this213, thank you for the good words regarding my post. Layer9, very good info -- I will be going to your site based on your posts. Bobkberg and all others, right on top of this as usual. To the person that suggested firing the "offender"... my experience has been that this is never as simple to do as it seems. To list just a few reasons:
Better the evil that you know? Eyes wide open.
I also agree, firing can be challenging. Especially if they have root/admin access -- if they wanted, they could do damage.
Also, as I said, you need to have corporate and maybe legal justification to do so (depends on your local laws). If not, it could be worse for the company legally.
And as TIMWATSON said, what if this rogue is close to someone in the C-suite? If the rogue activity is bad enough, it might be better to go to the top (CEO, president or legal) or outside law enforcement for guidance. Either way, it could be thin ice for the "good guys." There have been a couple of cases where the "good guy" was fired, arrested and/or sued for investigating a violation of law or policy (reported in SANS.org as I recall). Walk carefully and have important friends.
Date Sent: 08 Nov 2005
After all of this, still no info on what platform is involved, nor anything about what kind of business environment, nor any business policies might be in force.
In companies/agencies I've worked for in the past... hmmm... 20 years, this wouldn't be a problem. There was always someone with LEGAL liability who had sufficient authority. (Note that legal 'liability' is not necessarily the same as 'responsibility' in the business.) The individual with liability needs to be taking action just to keep his or her self out of jail.
But then again, maybe this is just a small office -- a privately run business and the network is run by the owner's nephew. A mix of Win95/98/2K on the desktop and a maybe even a Win2K Server. And everybody in the office is good pals with everyone else and always trying to one-up the others. Quite possibly nothing useful can be done since there is zero budget for any "security professional" and the nephew doesn't know even what Ethereal is, much less any tools that might be useful.
Knowing zero about the context of the problem, zero useful info can be given.
I must agree with most of the comments made regarding this matter. Not only do you have legal responsibilities regarding the breach of the other employee accounts, but if in some strange situation any malice occurs -- how to you find and hold the individual responsible? As an electronic cyber crime and fraud investigator, we always suggest that you protect your current investment which is your user integrity as well as the data contained on the system.
In large corporate systems, a user that is rogue can cause countless minor damage to data structure and other related matters and have it appear to be initiated by another user in this situation. This is a serious legal matter.
The other issue is you do not have any hard proof that this is occurring. In the event that you are wrong and you falsely accuse an employee, you have other serious legal problems.
My professional suggestion is the following:
Date Sent: 08 Nov 2005
Posted on behalf of DiegoDH:
I agree with Sidzilla that non-technical solutions must also be taken into account. One of these is to have proper policies and procedures in place. Another is to make frequent revisions of users existing in the systems and their level of access ("certifications of Users and Permissions"). These mitigate two different risks:
Regarding taking the offending employee to HR directly, be cautious -- you may need to provide evidence that she is the culprit of something illegal. Ask HR and legal departments first, and see what the company's internal policy says (if such policy does exist at all).
I hope I wasn't misunderstood. The post said that the user had definitely been accessing secured files and giving others access to the same. Firing is always a last resort and is always best done with caution. However, it was my impression that the evidence of the breach was already there. Oftentimes it is best to proceed with haste in a situation where security is an issue. A long drawn out investigation or an open confrontation seems to be the choice. If the employee is already identified and if the files she has altered the security rights to are already evident, it would seem the investigation is over. If the employee is confronted, the most important aspect of the scenario is the confession of HOW she was doing it -- to prevent future breaches. Firing would happen only if the information is not given up in an expedient manner. Hiring a network security specialist to find out what this employee already knows seems redundant.
Start your own discussion
Do you have a Windows security dilemma that needs quick attention? Talk about it in ITKE.
About the ITKnowledge Exchange
ITKnowledge Exchange is a place where IT pros can share ideas, expertise and get answers to their technical and strategic questions. It provides direct access between groups or individuals who are grappling with similar IT issues in a safe and seamless environment. Click to start participating today.
This was first published in November 2005