Firewall Wizards mailing list archives
Re: Security Incident
From: Bennett Todd <bet () rahul net>
Date: Tue, 21 Mar 2000 16:46:27 -0500
2000-03-17-14:45:48 Robert Driscoll:
Recently one of the offices in my company had a security break in on their internet router. The culprit signed onto the router for the office and reconfigured it.
Ick! No fun! A significant question you omitted: what was the nature of the config change? Did it tighten security, weaken security, improve service, worsen service, or what?
From the logs we know where the ip address of the person that telnet'd into the router (unless of course it was spoofed). Through NSLOOKUP we were able to find out the owner of the source address, and as it happens that company recently hired an ex-employee of ours. I also found out that that ex-employee had the password for the router.
Double-ick. Positively time to get the company lawyer involved.
The office manager is looking to see what means of prosecution we have available. My suggestion was the following: 1) Log an incident report with CERT. 2) Notify the network manager of the source address that we suspect their equipment was used for malicious purposes. 3) The office manager is also looking to see if we should file a local police report. Any other suggestions? Your thoughts are appreciated.
Make sure it really was malicious. E.g. if the employee in question logged in to add some valuable border filtering, to help prevent your systems from being used for DDoS attacks, then I'd just thank them --- then change the password on the router. If it was definitely malicious, then it reflects a problem in your password management: you didn't successfully remove all that users' access when they left. At highest priority you should be reviewing all your security systems, and making sure all terminated employees' access has been removed. Prosecuting could be tricky; you'll have trouble introducing your logs as evidence, unless they are handled in a tamper-resistent fashion, and have been since before this incident. Then there's the question of tracing the attack; someone trying to frame this ex-employee could have broken into the machine you saw telnetting in. If you're sure the incident was malicious, then I'd let the lawyer guide your actions. If the lawyer didn't have a specific recommendation, then I'd ask their opinion about notifying the new employer of what happened, to see how they respond. If they fire the person then the incident is reasonably closed. If they don't, then you might want to consider whether they should be included in your response. -Bennett
Attachment:
_bin
Description:
Current thread:
- Security Incident Robert Driscoll (Mar 21)
- Re: Security Incident Bennett Todd (Mar 21)
- Re: Security Incident Michael Erskine (Mar 23)
- <Possible follow-ups>
- Re: Security Incident Gregory Hicks (Mar 23)