General discussion

Locked

Security breech within IT group - how best to combat?

By mbevington ·
I have a co-worker who is "Extra curious" and has been caught breaking into other IT staff computers and running snooping programs on the network. The issue was brought to management which wasn't interested in the problem.
Where would you start in dealing with this?
I was told I can't target any paticular individual due to legal concerns. I have to do anything dept wide or not at all.

I'm working on the switches - getting them hardened, but is that the right place to start?
This person was recently given the green light on deploying Snort at all our offices.
I don't have any experience with that tool - but having this person in charge of a system which monitors all the packets on the network gives me the creeps.
Can Snort be used as an evesdropping tool? This person's hobby is stealing logons and passwords.
Encrypting all the data point to point on the routers won't do anything - so VPN and trunk everything?
I realize this is the perfect storm: a nightmare situation = and I want to protect my users.
Any experience in this matter (or anything similar) or ideas would be greatly appreciated.

Thanks for your input.

M

This conversation is currently closed to new comments.

3 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

It might be a matter of perspective

by bryan_andersen In reply to Security breech within IT ...

M, I think it might be a matter of perspective, if your co-worker is part of your company?s security group; this activity is with in the bounds of their duty?s at times.

Since Snort is an Intrusion Detection Sensor IDS it sounds like he is part of your security team. These devices are put in place to detect all sorts of activity from Malware and Virus activity and prevent malicious intrusion attempts. I assume you checked out snort.org

As to your questions on if snort can be used as an eavesdropping tool that?s kind of its purpose, snort examines the data packet contents and compares them against a list of checks. However encryption is actually one of the most effect ways of defeating an IDS sensor since the contents of the packet are scrambled\encrypted the IDS sensor is not able to inspect the traffic, unless it?s configured with the correct key of the encrypted traffic.

You mention that this person?s hobby is stealing logons and passwords. This is really concerning; sometimes this activity can be performed to show compliance with the company?s password complexity policy and yes your security group would perform such an evaluation. However if this person is not part of the information security team bring this issue to their attention, this type of activity can have very large implications if your company is under any type of state or federal regulation.

You also mention the concern was brought to management attention. What management, the department or the HR, IT Security or Compliance? Again I am assuming some regulatory oversight.

I do commend you in hardening your switches, this is a great practice and every network admin should look for ways their switches can be compromised.

I hope this gives you some options?

Bryan

Collapse -

Crossroads

by mbevington In reply to It might be a matter of p ...

Thanks for your input.

I like your thoughts = any sane person would think the same thing (like me).

It galls me that a)this person isn't part of the security section and management has no interest in the subject b) There is no regulatory oversight - until something goes wrong, at which point crap rolls downhill onto me c) I'm stuck in the situation of being the only one who sees and understands the problem/implications - and will be the first one to get the blame once it blows up.

On one hand - I've alerted my higher ups. If they don't care, should I?
On the other hand, I want to do whats right - but the cost to me is great. Say I take care of the problem, I'll a) get no thanks b) will be shot down for not solving it sooner c) get in trouble for changing the system so much no one else will know how it works anymore (everyone else are entry level techs to keep costs at a min).
So I'm at a crossroads and it's not easy choosing to spend the time and effort doing the right thing only to get hurt by doing it.
I'm a sucker so I know that's what I'll do.

Does anyone know if you can program Snort to capture logons and passwords? I always assumed that with an open source packet sniffer this would be easier to do than with something like Cisco Mars - but I wouldn't know the module or addon's name. If anyone knows this - it would be a major help, as I could be looking for it.

Thanks again,

-M

Collapse -

For network passwords

by seanferd In reply to Crossroads

I believe you can write a rule to do this.

Perhaps you should download & investigate Snort. Check in the forums, read up on the documentation.

If this tech is going to be using it, you should get on top of it. Be better at network security than him.

There are a lot of other open source tools available for everything under the sun. Check out other packet capture software (e.g., Wireshark), forensics suites, etc.

Don't be left behind by an apparently questionable character. Good luck, with the management style of that company, you may need it.

Back to Peripheral Forum
3 total posts (Page 1 of 1)  

Related Discussions

Related Forums