Re: Security Incident

[Bennett Todd <bet () rahul net>]

2000-03-17-14:45:48 Robert Driscoll:
>       Recently one of the offices in my company had a security
> break in on their internet router. The culprit signed onto the
> router for the office and reconfigured it.

Ick! No fun! A significant question you omitted: what was the nature
of the config change? Did it tighten security, weaken security,
improve service, worsen service, or what?

>       From the logs we know where the ip address of the
> person that telnet'd into the router (unless of course it was
> spoofed). Through NSLOOKUP we were able to find out the owner of
> the source address, and as it happens that company recently hired
> an ex-employee of ours. I also found out that that ex-employee had
> the password for the router.

Double-ick. Positively time to get the company lawyer involved.

> The office manager is looking to see what means of prosecution we
> have available. My suggestion was the following:
>
> 1) Log an incident report with CERT.
> 2) Notify the network manager of the source address that we
>    suspect their equipment was used for malicious purposes.
> 3) The office manager is also looking to see if we should file a
>    local police report.
>
>       Any other suggestions?  Your thoughts are appreciated.

Make sure it really was malicious. E.g. if the employee in question
logged in to add some valuable border filtering, to help prevent
your systems from being used for DDoS attacks, then I'd just thank
them --- then change the password on the router.

If it was definitely malicious, then it reflects a problem in your
password management: you didn't successfully remove all that users'
access when they left. At highest priority you should be reviewing
all your security systems, and making sure all terminated employees'
access has been removed.

Prosecuting could be tricky; you'll have trouble introducing your
logs as evidence, unless they are handled in a tamper-resistent
fashion, and have been since before this incident. Then there's the
question of tracing the attack; someone trying to frame this
ex-employee could have broken into the machine you saw telnetting
in.

If you're sure the incident was malicious, then I'd let the
lawyer guide your actions. If the lawyer didn't have a specific
recommendation, then I'd ask their opinion about notifying the new
employer of what happened, to see how they respond. If they fire the
person then the incident is reasonably closed. If they don't, then
you might want to consider whether they should be included in your
response.

-Bennett

Attachment: _bin
Description: