General discussion

Locked

Restatement of Issue - Origin of Threat

By TekGeek052401 ·
I apologize for the cloudiness of the original problem.

THe client has a Windows 2000 Network with CAT5 cabling and (1) 12-Port Switch. They use a DSL for high speed Internet access, and at this time rely strictly on NAT through their router andBlack Ice Defender firewall software. We had previsouly disabled all prior net admin accounts, disabled annonymous acct and established a healthy auditing system.

last month we discovered 80 ports had been opened allowing access to and from network. Upon further investigation, we also discovered who ever opened the ports also deleted the security logs, and went so far as to disable the logs from auditing login/logoff info. One of the previous net admin accts had been reactivated. No fileaccess was obtained (to our knowledge) and no applications had been accessed (to our knowledge). No data had been manipulated, other than the security logs.

We have reason to suspect this may be an inside issue. Pervious admin's spouse still works at the firm and has access to bldg. Departure of Admin was less than stellar. I have requested bldg entry logs from alarm company, but found out the other day, cleaning staff comes in on Saturdays(the day of the breach) as well. The breach occured to our estiamtes around 9am, which to me is an odd time for an external hack. Unfortunately, the cleaning staff enters the bldg. between 7:30am and 8:30am. Every stone I turn turns up a dead end. I am trying to find away to determine whether or not this is an internal issue or external breach.

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Restatement of Issue - Origin of Threat

by cavedweller In reply to Restatement of Issue - Or ...

Here are a couple of ideas.

Put the server in a locked room. If you have already done this, change the lock.

For a few weeks, make it a point to monitor the system while the cleaners are in the building.

Expire your administrator's passwords immediately and set a short-lifetime/moderate complexity password policy for all users.

Review the group memberships of your users. Make sure they have the least permissions required to do their jobs.

Establish working hours (in user manager) and make sure you auto log them out after hours (except for a few key administrators).

Rename the administrator account. Change the password, seal it in an envelope, put it in a locked cabinet and forget it. Make sure the guest account hasn'tbeen modified or activated. Rename it too.

Set auditing properties in your ntconfig.pol so that they get reapplied.

Change the password on your firewall software. Review the administrator account list and make it as small as possible.

There is some chance that the spouse has gained the assistance of one of your administrators and obtained a password. Maybe someone keeps a password list on their desk or "hidden" in a known location. If you make it known that you are conducting an investigation you may be able to deter them from future assistance out of fear of being caught and fired.

Download, read and heed the NSA IT Security guides at http://nsa1.www.conxion.com/

Collapse -

Restatement of Issue - Origin of Threat

by TekGeek052401 In reply to Restatement of Issue - Or ...

The question was auto-closed by TechRepublic

Collapse -

Restatement of Issue - Origin of Threat

by Big Ray In reply to Restatement of Issue - Or ...

Cave Dweller has some good answers. What I would change of his is to see if the company would be willing to pay your security company to put key card access on the server room door. This adds an extra level of reporting that allows you to see who's card was used to enter the server room. You could also have a video camera installed in the server room.

Also make sure to change all the administrative passwords again.

Worst case is you pay to have the DSL providers issue static IP addresses and then for a user to get access to the system they have to give you an IP address and/or hardware address that you program into the system for the servers to respond to. This could be extremely time consuming and should be a last resort.

Collapse -

Restatement of Issue - Origin of Threat

by TekGeek052401 In reply to Restatement of Issue - Or ...

The question was auto-closed by TechRepublic

Collapse -

Restatement of Issue - Origin of Threat

by TekGeek052401 In reply to Restatement of Issue - Or ...

This question was auto closed due to inactivity

Back to Security Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums