Where to from here

[ThunderForest]

Would appreciate your opinions and/or protocol on this subject. Thanks.

The Players:

Uncle Joe, Owner of corporate group
Nephew Bob, Network Administrator
Sam, CEO of one company in group
Alex, IT Manager

Sam calls Alex into his office and begins asking how his relationship is with Bob, e.g., do you get along well, what do you think of him, etc. Then Sam shows Alex an eMail that appears to have been sent by Bob, but carelessly sent to Sam instead of Joe. It read:

Joe

call me - i have info on Sam that I need to tell you.

I left a voice mail for you.

Bob

Bob has a previous history of "snooping". Bob knows the network well. Alex, although experienced and knowledgeable, has been there about five months.


Getting answers before I'm asked.
Providing answers if I can.

 

[ThunderForest]

By the way, Alex also analyzed the MIME header and concluded it was legitimate. What should Alex's role be in this issue?

Getting answers before I'm asked.
Providing answers if I can.

 

[brianinms]

Call someone in HR

 

[silverhairbp]

Write the letter to your successor.

 

[ThunderForest]

Wrong-o silverHair and thanks Brianinms. Should have added that HR was already involved. Bob was also confronted and claims the address was spoofed. Alex proved and documented otherwise. I would also think it would be best for Alex to stay out of things and let HR handle it. I guess what I was getting at was, as an IT manager who never experienced anything like this before, what proactive things should Alex be doing?

Getting answers before I'm asked.
Providing answers if I can.

 

[brianinms]

Alex should be doing nothing other then talking to HR or someone in risk management.

 

[ThunderForest]

Very good advice, and that is exactly what Alex is doing, although he was asked to contact the ISP where the MIME header said the eMail was sent from, asking them 1) to examine the header, 2) verify the authenticity of the eMail and 3) to verify if the account name was a valid account. He did that, but chose not send the header unless the ISP will do the verification.

Getting answers before I'm asked.
Providing answers if I can.

 

[ThunderForest]

New Players:

Gertrude, former IT Manager, one year ago. Consulted for company, but was dropped about one month ago.

George, former IT employee, and consults for company.

Since I brought this issue up, just thought I should let you know how it ended (or began). The events of life just never cease to amaze me.

George lives out of state. Bob and Alex found in various logs that an IP address traced to the local area was accessing George's email account via the web (https). We suspect Gertrude, who lives in the area, knew George's password. She was a disgruntled one, according to what Alex heard, and also had a very strong dislike for Bob. With approval, Alex and Bob submitted a complaint via fbi.gov, internet crime. To them it was fraudulent, and like breaking and entering, or even like robbing a bank, although there doesn't seem to be any damage. Gertrude's name was not mentioned, just the IP address. George was contacted (no, not by eMail) and instructed to change his password immediately. Alex and Bob believe Gertrude probably knows more passwords, so they have their work cut out for them. Alex and Bob think Gertrude is very, very..... well, there's a moral here somewhere.


Getting answers before I'm asked.
Providing answers if I can.

 

[brianinms]

Sounds like management is lacking at this place. I would be looking for a new job if this is how they run things.