Curious IT employe at my office!

[00700070]

Hi everyone,

i need help, i got good reasons to think that the IT at my office is "sniffing" around some confidential data on our network! He does that from the office, not through the firewall.

How can i catch this guy? Any suggestion? If i install some monitoring tool, i'm scared the IT will find it.

Any solutions are welcome!

Luc
Montreal

 

[MichealC4]

Having a honeypot is fraught with legal problems because your could be in trouble for encouraging a crime to take place (my thoughts)

I'm sorry to derail this topic slightly. Tezzie, that's not entirely true. The point of honeypots is that the attacker will attack it regardless of what it is. You aren't telling them, "hey, this is a honeypot, come attack it for me please, with a cherry on top." That's why they are called an attacker after all. I know of very few, if any, entrapment cases dealing with honeypots. Most have been with privacy issues.

----------------------------
"Security is like an onion" - Unknown

 

[eyec]

honeypots do not fall under entrapment because you are dealing with corporate assetts.

company policy/ownership of these assetts are normally pointed out, i.e. "I own these assetts and if you use them you agreee to my terms".

to say honeypots lead to entrapment is like parking your car in your driveway and when someone breaks into it they say "you made me break in because you left it in your driveway!

sorry, for the rant but misconceptions are as dangerous as misbehavior.

 

[Tezzie]

As you say, this has gone off topic a bit but its worth touching on the subject.

I suggest a quick look at...

http://www.theregister.com/2003/04/17/use_a_honeypot_go/

This might help clarify peoples intentions when considering such action.

Tez

 

[MichealC4]

Last post from me on this, I promise. Unless we want to start a new topic to continue of course. I have heard conflicting information on this. One thing that I have heard that has been consistent so far suggested that businesses were "in the clear" so to speak so long as they followed a couple of things such as making attempts at bannering the honeypot. Government facilities on the other hand fell under the federal wiretapping act that is mentioned in that article.

----------------------------
"Security is like an onion" - Unknown

 

[Windexx]

I'm glad you got some hard evidence against the person! Just make sure they can definitely link the machine to him/her and that it was on the network at some point. The forensics folks should be able to do that. At this point, if you now have the person on an HR violation the person may be fired (assuming policies state such actions are not allowed). Prosecution is always a possibility but is a much harder road. Most of the time it is best just to either fire the person or interview them and ask them to resign effective immediately or risk litigation.

On a sidenote, if you haven't done so already. Bag and tag the machine. Turn off and store in a locked location. Create chain of custody just to be safe. Do not turn that machine on again and turn over to forensics folks so they can get a bit-by-bit image to use. Make them sign for it. While fresh in your mind, write down exactly what you did with the box when you logged on and exactly what you noticed. A digital picture of the machine (and devices) in its location might actually be useful if he was attempting to hide the usage of the machine. If he knows he is under investigation don't let him near any computers. The day he leaves (worst case scenario), ask all users to change their passwords. Check all accounts. Get a gameplan to change all service and application account passwords (this can be ugly!).

I hope all goes well!