Security Prevention 4

shannonlapekas · Jun 14, 2004

Can anyone please recommend how I should handle a security breach in my network?

I had two consultants that were terminated. They brought all three of my networks up and so they are intimately familiar with the system. I found that they had added a user to the AD that they had given Domain Admin rights to and were logging into my servers after hours. I have deleted the user account, any account that they had been using, and changed the admin account's password.

Is there anything else I can do to prevent them from entering my network without my permission?

Spirit · Jun 14, 2004

The problem is that if you've fired them and they built your network and they left this backdoor open then ask yourself what other doors have they left for themselves.

I would audit every user account (and I am not talking just Windows I am talking your routers, switches firewalls even your print servers) and make sure that no accounts exists that shouldn't or non have elevated privileges (I.e. dial in permissions)

Change every password in the entire network both user and admin accounts (don't forget the services accounts).

Save your logs regularily as these may be needed as evidence if these guys get cute.

Educate your users about the risks of devulging info to these guys.

Good luck,
Iain

IFRs · Jun 14, 2004

If you find a hole, leave it open, monitor it, trace the access back to them and sue the bastards.

Spirit · Jun 14, 2004

Hmmm, like your thinking but I would just hand them over to the cops. Perhaps if you have time leave a honey pot for them not the actual network. I bit safer than exposing critical data to them.

Iain

rn4it · Jun 15, 2004

Are they hired from a reputable consulting company or are they there own company? If you went to a consulting firm and they were hired to do the work for you. Then I would go back to the firm with this information and any log files/evidence. As well, I would go through every device and ID, odds are there's more then one back door.
good luck.

segment · Jun 15, 2004

You'd definitely want to number one, throw up secure machines, there's no telling what was installed on the machine. (The extent of a backdoor). If you plan on going to court, be advised you would want to leave the machines as untouched after the incident as possible. Reasoning would be, any lawyer can counter that the machine was tampered with after the so called attack thereby undermining any possible log records, checksums, etc.

If damage was done financially, for one, you would want to contact the FBI or so, in efforts to make them pay for the actions. Doing so though, you should be advised you would need to dish over the machines so they could investigate.

Essentially though, you shouldn't (at least I wouldn't) have those machines running, and if you do, find a mechanism to log information on the machine.

sil

http://www.politrix.org

chiph · Jun 16, 2004

The FBI doesn't get involved (usually) unless the damages exceed $250,000.

Chip H.

____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first

segment · Jun 16, 2004

chip you're very wrong. I don't know where you get your information from. Yes I do know as a matter of fact.

http://www.kuro5hin.org/story/2001/8/9/174219/7595

Windexx · Jun 18, 2004

Just some off the top of my head...some are repeats. Not a fun position to be in.

Change all passwords on networks especially service accounts. This includes all users!!!

Audit all accounts in privileged groups and remove those accounts not necessary.

Confirm FWs are set correctly and deny all that is not business necessary. Confirm FW logs are stored and archived. Make sure someone looks at them!

Confirm auditing is set on all machines especially servers. Make especially sure you have logins, change passwords, and etc. Archive event logs as necessary. Confirm password change policy has been introduced (every 90 days or ?).

Confirm that all equipment has been returned that previous employees had received.

Conduct a vulnerability assessment of all critical servers to help look for known vulnerabilities and backdoors. May also want to check workstations for ftp, web, sql, and etc while you are at it

Audit remote access accounts.

Confirm no modems on network...no need to make it easy to get in.

Confirm previous employees have no ability to gain entrance to premises. Confirm physical security is in order including access logs, cams, and etc.

Image their harddrives and run forensics on them to look for anything suspicious. Do not run anything on original. Secure the harddrives.

Hope this helps.

Windexx · Jun 18, 2004

Regarding the FBI...

FBI cannot investigate all intrusions that occur on the network. Normally it has to be a significant amount before they would investigate it...its a matter of manpower. This used to be a certain dollar amount though I'm sure exceptions have been made in the past.

Depending upon the type of corporation, if an intrusion occurs you may be under obligation to report it to the appropriate agency.

Don't disregard police departments. If you have not introduced yourselves to them then maybe you should. Some police departments have computer crime labs or computer investigators. A lot of departments do farm it out to the FBI and whatnot.

If you do internal investigations I would suggest attempting to join

http://www.htcia.org

(High Technology Crime Investigation Association) as it is a mixture of fed, police, and private industry. Mainly, a forensics group, but they have good information sharing.

Just my $.02...

bluedragon2 · Jun 18, 2004

An addional note to the ones posted above for they are all good ideas. There may also be a files or files that can be called at specific times that create accounts, create backdoors, and so on. I suggest a complete baseline of all systems and identify any unusual or unidentified files. Also, logging/auditing is very important.

Just a couple of cents in the pot.

[Blue]Blue[/Blue] [Dragon]

If I wasn't Blue, I would just be a Dragon...

kopustes · Jun 25, 2004

Hi all,

May be you can visit

http://www.microwan.net

there are a lot of security documents and
tools learning how to implement networking security.
I would recommend you to take into
consideration do a perimetral test
to find security flaws.

jawake · Jul 2, 2004

Do you have log records from when they were onsite? You might want to go look through those to see what they were up to, what other systems they touched, etc.

chiph · Jul 3, 2004

segment -

I know because of an incident at a previous employer. One of the first questions the agent asked was an estimate of the financial loss. But this may be something that varies between FBI field offices and maybe with their workload. The one that Sil was involved with may be more willing to investigate smaller crimes.

BTW, Sil needed a better lawyer. If the feds call, first words out of anyone's mouth should be: "Let me consult with my attorney and I'll call you back".

shannonlapekas -
Another thing to think about is the possibility of never finding all the backdoors that might have been installed. If you have a regular schedule of reinstalling the OS after a certain period of time, you might want to speed up that process.

Chip H.

____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Security Prevention 4

shannonlapekas

IS-IT--Management

Spirit

Technical User

IFRs

Programmer

Spirit

Technical User

rn4it

MIS

segment

ISP

chiph

Programmer

segment

ISP

Windexx

Technical User

Windexx

Technical User

bluedragon2

IS-IT--Management

kopustes

Technical User

jawake

MIS

chiph

Programmer

Similar threads

Part and Inventory Search

Sponsor