General discussion
-
Topic
-
Restatement of Issue – Origin of Threat
LockedI apologize for the cloudiness of the original problem.
THe client has a Windows 2000 Network with CAT5 cabling and (1) 12-Port Switch. They use a DSL for high speed Internet access, and at this time rely strictly on NAT through their router andBlack Ice Defender firewall software. We had previsouly disabled all prior net admin accounts, disabled annonymous acct and established a healthy auditing system.
last month we discovered 80 ports had been opened allowing access to and from network. Upon further investigation, we also discovered who ever opened the ports also deleted the security logs, and went so far as to disable the logs from auditing login/logoff info. One of the previous net admin accts had been reactivated. No fileaccess was obtained (to our knowledge) and no applications had been accessed (to our knowledge). No data had been manipulated, other than the security logs.
We have reason to suspect this may be an inside issue. Pervious admin’s spouse still works at the firm and has access to bldg. Departure of Admin was less than stellar. I have requested bldg entry logs from alarm company, but found out the other day, cleaning staff comes in on Saturdays(the day of the breach) as well. The breach occured to our estiamtes around 9am, which to me is an odd time for an external hack. Unfortunately, the cleaning staff enters the bldg. between 7:30am and 8:30am. Every stone I turn turns up a dead end. I am trying to find away to determine whether or not this is an internal issue or external breach.