Consultant Ethics 4

[shannonlapekas]

My company grew into the need for an IT person. They currently have three businesses with vastly different IT needs. As they grew they kept doing business with this company which handled both IT and Electric work. They used this company to do the IT and electric work at the two new businesses as they were put in place. Because of the extremely poor quality of work that was performed the owner of my company withheld funds for the last month of work in the hopes that they would complete the unfinished work.

This company then stopped work on the site and has refused to finish the work. They put a lein on us and we sued them. So as you can see it has gotten very ugly. I was hired during this mess and am now trying to clean up a network that hasn't been patched or had virus definition updates in 6 months. I am also trying to build a new network that is a fiber connecting WAN across the three sites with three separate AD's and 1 Exchange Server. So as you can imagine I have been busy.

At the last meeting with this consulting company I found out that they claimed that they could still get into our network. This really surprised me because their accounts had been removed and the administrator accounts passwords had been changed. I discovered that they somehow got into the network and had put a user called adtree into the AD and had been getting in through that log in. I believe that since the stepdaughter of one of the consultants works at one of the locations and has access to the servers and the passwords that she provided this log in.

I feel very violated that they have been in my network without my knowledge. Is there any legal ground that we have to stand on to prevent a consultant that has not been given permission to a network to enter it? I don't want to do anything about past violations but I want to prevent them from coming into the network again.

 

[lionelhill]

.. if they told you they know they can, then it surely means they must have tried, and that would be decidedly dubious activity. If they haven't tried, then in saying they knew they could, they were lying, presumably with a view to intimidating you, which is also very dubious activity.

 

[Dimandja]

What kind of people are these? They tell you they can break in?! This is a terroristic threat. Husbands go to jail for less. Ask your local prosecutor.

 

[BabyJeffy]

What kind of people are these?

Unprofessional.

I must say that your use of "Husbands go to jail for less" was rather weird though. I can only assume it's a saying that doesn't translate well.

There is always the (very real) possibility that they had no real access to the system anyway and were just sounding off (to make you feel insecure - and to make them appear superior). I wouldn't bother with running to the Law just yet... a letter to the MD of the consulting company would probably be a better start.

Jeff

 

[shannonlapekas]

Just as a follow up to this discussion I found out how they were getting into the network. They had set up TS on the firebox under a deceptive name that made me think that it was there for the credit card company. Then they gave one of the guest accounts Domain Admin rights. They knew that only the accounting consultant used that account and it's password didn't get changed regularly. Thank you all for your suggestions and help with my problem.

 

[Dimandja]

Read "people go to jail for less". I can see the humor being lost.