From: Packet Man (packetman@altsec.info)
Date: Sun Apr 15 2007 - 10:49:47 EDT
>> > > On 4/10/07, Mifa wrote:
>> > >> We have a user who takes a company computer home with them (no
>> its not a
>> > >> lap top). We have a good reason to need to look at their files.
How I would approach this:
1. Daily gather all sensor data on the user, such as firewall/IPS logs, web
proxy logs, etc.
2. Through either a span port or passive network tap, I would capture every
packet this user sends and receives. Then, I would thoroughly analyze and
profile the traffic. This would accomplish two things; (A) the data would
reveal whether or not the user "may" be operating outside their normal duties,
and (B) the information retrieved would provide all the necessary clues for
social engineering.
3. If enough suspicion has been generated so far, the company should have
enough information to simply confiscate the PC for forensic analysis. Chances
are the PC is infected with spyware anyway, and that would be an excellent
excuse for Desktop Support to swap it out on the user's desk. Even if it's
not infected, the user could be told that the IPS and Firewall logs indicate
that the PC is infected. Give the user a fresh PC to work on (complete with
monitoring software installed) and tell them that their existing data will be
provided for them as soon as it is thoroughly scanned by IT Security to ensure
that none of the files are infected.
Alternative Step 3:
3. If the company IT policy explicitly states that (A) all company owned
computers are under the complete whim of the company AND (B) the user can have
no expectation of privacy AND (C) I get a signed authorization from
management, I would then proceed to compromise the host through email or
browser based exploits, the same way the majority of reckless users get
compromised. The exploit(s) would then gather the necessary data from the PC
and forward it for analysis.
Caveat: Even if a PC is proved to be transmitting information to an
unauthorized destination, that user could be completely innocent. Who knows,
maybe the former user who left the company for the competition had a login or
trojan on that user's PC and is siphoning data. Maybe they've just been
hacked. Just because a computer is doing "bad" things, it doesn't mean that
the "known" operator is responsible.
Remember... you're treading on the path of "best practices" and "rules of
evidence" here. All local, state, and federal laws must be followed to ensure
the integrity of the investigation and the evidence.
Lastly, good luck. In a perfect world management would care and everyone
would work together. Reality says that politics, rivalry, and budget will
combine to defeat even the most talented and honorable ITSec intentions.
Mark Stingley, IDHAFC
Senior Information Security Analyst
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:44 EDT