Consultant Ethics 4

[shannonlapekas]

My company grew into the need for an IT person. They currently have three businesses with vastly different IT needs. As they grew they kept doing business with this company which handled both IT and Electric work. They used this company to do the IT and electric work at the two new businesses as they were put in place. Because of the extremely poor quality of work that was performed the owner of my company withheld funds for the last month of work in the hopes that they would complete the unfinished work.

This company then stopped work on the site and has refused to finish the work. They put a lein on us and we sued them. So as you can see it has gotten very ugly. I was hired during this mess and am now trying to clean up a network that hasn't been patched or had virus definition updates in 6 months. I am also trying to build a new network that is a fiber connecting WAN across the three sites with three separate AD's and 1 Exchange Server. So as you can imagine I have been busy.

At the last meeting with this consulting company I found out that they claimed that they could still get into our network. This really surprised me because their accounts had been removed and the administrator accounts passwords had been changed. I discovered that they somehow got into the network and had put a user called adtree into the AD and had been getting in through that log in. I believe that since the stepdaughter of one of the consultants works at one of the locations and has access to the servers and the passwords that she provided this log in.

I feel very violated that they have been in my network without my knowledge. Is there any legal ground that we have to stand on to prevent a consultant that has not been given permission to a network to enter it? I don't want to do anything about past violations but I want to prevent them from coming into the network again.

 

[Grenage]

That's a nasty situation, although more of a security situation than an ethical one.

The consultants should not be on your network, it is illegal without permission.

I would turn on auditing, lock down users to the lowest security possible (while allowing them to do their work), check all incoming and outgoing connections, check the firewall configuration and have all the machines patched (perhaps Microsoft SUS if you have a lot of machines).

If any accounts are created without your permission in future you can check the logs to find out who logged in etc and take it from there. You will probably want to let them know that if they do try/succeed in gaining access to your network in the future that they will be prosecuted.

Russell.

 

[mattKnight]

I believe that since the stepdaughter of one of the consultants works at one of the locations and has access to the servers and the passwords that she provided this log in.

You suspect that this is an "inside job" Does your company have an internal IT policy? It may help to make the stepdaughter aware of the policy and also that you have increased the auditing. If she is involved, the changes will be communicated to the consultant company.

Take Care

Matt
If at first you don't succeed, skydiving is not for you.

 

[EBGreen]

This would be moving into an ethical areae, but if your company has a clearly delineated electronic communication policy that allows it, then start reading her emails. Or at least scanning them and reading anything that mentions the consulting company or its employees.

[blue]"Well, once again my friend, we find that science is a two headed beast. One head is nice, it gives us aspirin and other modern conveniences,...but the other head of science is BAD! Oh, beware the other head of science, Arthur; it bites!!" - The Tick[/blue]

 

[ecobb]

The best way to make her and everyone else aware of the policy is to fire her! If I was involved in a lawsuite with a computer company that had been conducting "shady" practices at my office, and one of my employees was giving them access to my network (what else did she give them?), there is no way that employee would be allowed to stay. I would probably even investigate pressing charges against that employee.




Hope This Helps!

Ecobb

"My work is a game, a very serious game." - M.C. Escher

 

[strongm]

shannonlapekas only said that they 'believed' this stepdaughter had provided access, not that they had proof/evidence. To fire them on a belief might prove...counterproductive

 

[ecobb]

So could letting her stay...

Hope This Helps!

Ecobb

"My work is a game, a very serious game." - M.C. Escher

 

[strongm]

Oh dear...having had an long discussion with the CEO of an Investment Bank where I was trying to convince him that starting with the presumtion that every single one of his employees was an untrustworthy, devious, criminal neerdowell whose sole goal was to be the next subject of global "hacker cracks bank wide open" press stories probably wouldn't help with staff moral or efficiency of IT systems, I have to say that I'd more likely suspect that the consultants put in the ADTree account themselves some time ago. But that's probably just me.

 

[shannonlapekas]

The business is a retail facility so the users have access to the servers and passwords. They do not have their own user names and passwords because the terminals are used as cash registers that are accessed by many users. I do know for a fact that the account was added to the AD on May 15th (it was in the security log) and the consultants were fired in February so it was added after they had been asked to stay out of the network. The stepdaughter will be leaving the company at the end of the summer because she is going to U of M. She is a nice kid and I have no proof that she has done anything wrong so it would be difficult to to try to get her fired.

 

[sleipnir214]

<aside from the ethical to the technical>
In addition to the question, "What login did the consultants use to get into your network?" is "How are they connecting to your network in order to use that login?"

If they can get to your network across the open internet, you have some serious firewall issues.

If they have set up some kind of VPN, then it needs to be broken.

If they have a mole in your organization, that mole needs to be neutralized.
</aside>






Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[OhioBill]

Mole? Neutralized?!

What kind of contractor are we talking about here?

There are all kinds of possibilities here, but tech issues aside I think you have to make a decision to try and prosecute (criminal) or not, which means you've got to convince the local prosecuting attorney he can present a winning case.

 

[sleipnir214]

OhioBill:
<facetious>
"neutralize" does not necessarily mean "kill". It could also mean "terminate"....as in to "end the employment of"
</facetious>

As a general rule, the most dangerous type of threat to an IT infrastructure is an insider. You can't ("shouldn't" is suppose is a better word) lock out your users, as they have legitimate purposes for the system.



Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[strongm]

Quite so

 

[SGTRawlins]

Have you tried gathering evidence on the member of staff in question? Were they working on May 15th.

have you tried loggin her e-mails, i know i have previously had staff that have leaked sensitive information using e-mail and not covered thier tracks!

Have you let members of staff know the situation, if she believes you are following her foot steps this may prevent the distribution of any more info.

What about telephone bills, can you track all contact with the consultantcy firm.

 

[chiph]

You've already had evidence of an intruder. I would review every account and change every password. I would also let the staff know why this is happening. If you can rent an intrusion detection box, it might be of some help.

Chip H.


____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first

 

[willir]

Hmmm

First be professional. Any termination action on an employee has to have evidence. (But you can re-assign them or have them work on a "project")

The suit / counter suit is a very dangerous terartory. Proceed carefully, and only with legal advice.

Some things that may happen...
- Your data (including email, and including backups) may be seized in search incriminating evidence. If you have backup policies and procedures, these P&P may be used as guidelines on tactics will proceed.
- You can do the same to them. Their data, their email, their backups can be scanned for incriminating evidence.
- Data on servers, PC's etc belongs to the compnay. It is a really good idea to have P&P in advising users of this, and have them sign off in acknowledgement. Although I am sure laws will have regional differences, I suspect this is a fairly standard approach.
- Certain products allow you to remote control a PC, or view activity, or record keystrokes. These utilities can be used for support (remote install of patches), or monitoring. They would be akin to having security cameras above the cash register and in the key locations - security is security.

At the very least, this issue should be a lesson learned on security, policies and procedures. Like "why do I have to backup?", this type of issue seems to only occur to the other guy / gal until you get bit.

Before signing off.
As stated, this is nasty and could get worse. Make sure you seek legal advice before and during any action.

 

[mattKnight]

Just a thought from the paranoid....


Has anyone considered that there may a logic bomb emplanted somewhere?

Whilst I accept that this scenario is most unlikely Can you be sure? It is entirely un-ethical and illegal for any consultant to do such a thing, but is there a legitimate reason for having a backdoor?

At this time, it may be worth setting some logging and session recording as willir suggested. Maybe by seeing what they are doing, you can protect your network better.



Take Care

Matt
If at first you don't succeed, skydiving is not for you.

 

[rosieb]

At the last meeting with this consulting company I found out that they claimed that they could still get into our network. This really surprised me because their accounts had been removed and the administrator accounts passwords had been changed.

I hope you have witnesses and have documented this. This seems to me to smack of unprofessional and probably illegal activity. Does it not contravene your contract with them? I don't think it would look good to a court.

I agree the "how", possibly the step daughter, should be moved to a position where she is harmless, just in case. But the very fact that they have/had access via an unauthorised route is surely condemnatory.

Rosie
"Never express yourself more clearly than you think" (Niels Bohr)

 

[chiph]

It's definitely illegal in the US (it's how Kevin Mitnick was prosecuted). The trick is acquiring proof that will stand up in court.

Chip H.


____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first

 

[jerryreeve]

At the last meeting with this consulting company I found out that they claimed that they could still get into our network. This really surprised me because their accounts had been removed and the administrator accounts passwords had been changed.

the consulting company, in delivering the above nessage to you can be seen as threatening your netnwork. they were saying "look what we can do to you anytime we feel like it" it sounds like it may be time to [shudder] involve the lawyers [collective gasp] they have the experience and expertese to advise you of your options, leagaly, and also of the ramifications to the cosultants.


JerryReeve
Communications Systems Int'l
com-sys.com