From: Sat Jagat Singh (flyingdervish@yahoo.com)
Date: Fri Apr 13 2007 - 12:28:53 EDT
Opening a conversation with the user and his
supervisor need not be from the stand point of making
an accusation or suggesting suspicion. It should be a
simple matter of policy that the IT department manages
company owned machines. If the machine is not under
IT control and is not configured in a standard way
then you cannot verify that it complies with company
policies concerning the installation of antivirus
software, licensing of applications and may present a
security risk to the organizational network. He may
say, "Trust me it is secured." But then he is asking
you to trust every other user in the organization and
make him an exception to organizational policy; a bad
practice for anyone.
Another tactic would be to simply audit his access to
potentially sensitive data stored on servers. Boot a
LiveCD running Snort on a different system and log all
of his access to systems or IP addresses to which he
shouldn't have access. With these steps you are
establishing whether he is making inappropriate access
attempts. By breaking into his machine, you may only
establish that he has sensitive data for which he may
have authorization.
You're approaching the problem from the completely
wrong angle and it stinks of potentially illegal
activity on your own part.
--- Mifa <mifa@stangercorp.com> wrote:
> Thanks for the info. Backups are not done on a
> machine thats off our network. I can not access my
> admin privilages becasue the machine is not on a
> domain and is not simply locked with windows.
> Further , the admin account is disabled/missing; to
> be honest Im not shure how. I had hoped to do a
> quick reboot from a floppy because its fast.
>
> We suspect that we have someone who is sending
> company job files to another company. If so this
> would make the second person doing such. One of our
> employes left this company to start another company
> and he had friends. We dare not point out any one
> without proof or fire anyone without knowing we the
> correct person; especially when this person has been
> with the company most of its existance. To get that
> proof I think the hardware key logger would be a
> good option to get the password ect then log in, but
> not any good for the longer term. Also, we are
> keeping a copy of all emails. The other option is
> to disclose our suspecions and have him turn in the
> computer the next time he comes into the office;
> which we will do if we must. Being a small company
> based on trust its the last option short of fireing
> wich the owner will not do without proof. Now you
> see the sensitive delima here. We do have every
> right and policy, but....
>
>
>
------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Are you using SPI, Watchfire or WhiteHat?
> Consider getting clear vision with Cenzic
> See HOW Now with our 20/20 program!
>
> http://www.cenzic.com/c/2020
>
------------------------------------------------------------------------
>
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:44 EDT