PaulDotCom mailing list archives

Re: Controversial (maybe) question

From: Michael Dickey <lonervamp () gmail com>
Date: Mon, 27 May 2013 19:23:15 -0500

Check web filter logs if you have them. Also, start capturing all of his
network traffic if you can at the remote location as well. If you have a
local firewall product, those logs may be helpful as well. Check your
network firewall rules as well, depending on what rules you log you might
find some traffic there as well, especially if he attempts to do something
that isn't completely normal (like web browsing, basically).

I would try to hold off on deploying spyware/keylogging until last, simply
because if your endpoint controls bark about it, your game is likely going
to be up. And if he hasn't been doing anything wrong, you've probably just
created a disgruntled employee. It could even be possible he's an unwitting
accomplice. It's not unheard of in larger companies for someone to pose as
a remote sales guy and try to get data from an IT monkey due to "system
issues."     (...salespeople...are special.)

Definitely get more details from the attorney. Rather than shotgunning your
attempts to catch him with his hands in the cookie jar, try to figure out
what sorts of things might be missing and/or how your attorney suspects
this. I'm going to guess this may have something to do with sales efforts
(not knowing your business at all), since it's pretty common for
sales-related people to take data or poach data if they can.

And start brushing up on disk image forensics!  :D


On Mon, May 27, 2013 at 11:30 AM, Brian Erdelyi <brian_erdelyi () yahoo com>wrote:

There are alot of thibgs you can do before gettibg invasive on the PC.
 Software on the PC will likely set off alarms with AV.  I'd focus more on
native audit logging capabilities of the systems and data you want to be
monitoring.

I'd suggest:

1. Take a forensic image of the workstation (this is a point in time
snapshot and may provide insight into what he has been doing in the past).
 Internet history may be useful if you do not have a proxy server that logs
access.  It may also provide an indication if he has copied data to the PC.

2. Ensure NTFS permissions are set appropriately on sensitive resources
(applications, folders, etc).  Enable file level auditing to determine if
he accesses those files.

3.  Enable additional logging on the PC.  You may be able to log what
applications are being launched and if data is being copied to the PC.

4. Review outbound email for the user at the server.  Get a copy of their
mailbox to review.

5. Get a copy of their home directory.

6. PBX records to get a log of inbound and outbound calls.

7.  Review his access to confirm what he does and doesn't have access to.
(This can help frame the potential scope of exposure if you assume the
worst).

Sent from my iPhone

On May 25, 2013, at 11:26 PM, Dan Baxter <danthemanbaxter () gmail com>
wrote:

Okay, yesterday at work, I was asked if I could deploy some spyware to a
PC to determine what a particular user is doing.  The requestor was one of
our corporate attorneys, no less.

The concern is that this individual is possibly accessing sensitive
documents and getting them to a competitor.  I'm not at this location, so I
don't know the person, or the exact circumstances or requirements, yet.  I
have been told he's the "unofficial IT guy" for this location, so he may be
wary.

At present, we don't block access to USB drives.  We do block access to
cloud based storage (Dropbox, Copy, Skydrive, etc).

Ironically, this is the same atty that helped shoot down a DLP project I
was working on earlier this year.  I took gratification in pissing her off
by reminding her that this would be a perfect example of why we need one.

Anyway, assuming I get signoff from HR and our Ethics department (still
questionable), are there any suggestions of what I could deploy?  Also, I
realize some testing is going to need to be done to make sure it doesn't
set off alarms on his A/V.  Any other pitfalls I need to be aware of?

Thanks in advance.


Dan Baxter
-------------------------------------------------
Quis custodiet ipsos custodes?

"A sword never kills anybody; it is a tool in the killers hands."-Lucius
Annaeus Seneca, c.4BC-65AD

_______________________________________________

Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Controversial (maybe) question Dan Baxter (May 27)
- Re: Controversial (maybe) question Andrew Case (May 27)
- Re: Controversial (maybe) question Frank McClain (May 27)
- Re: Controversial (maybe) question David Kovar (May 27)
- Re: Controversial (maybe) question Brian Erdelyi (May 27)
  - Re: Controversial (maybe) question Michael Dickey (May 27)