Page 3 of 3 FirstFirst 123
Results 21 to 26 of 26

Thread: What would you do ?

  1. #21
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,253
    zENGER:

    I was referring to everyone at the client site especially the client boss. I have a tendency to think out loud while troubleshooting. I write down everything when investigating security breaches. When asked "Why are you looking at that log"?, or "what is that data telling you"? I simply respond - nothing conclusive yet.

    Case in point. I once looked at a network with Trend Micros Office Scan installed on all the clients. At that time the office scan client used port 12345 to get it's updates from the local server. So I'm sniffing the traffic and say out loud "Wow - that looks like the NetBus Trojan". The client freaks, runs to his office and calls my boss stating that I found a big virus and he is going to cancel the contract with my company for failure to support.......

    Big issues, almost got fired. If I had waited until I gathered all the info, I wouldn't have even mentioned the traffic since, in this case, it was normal network traffic.
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  2. #22
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    I'll agree with that. I think it was a little bit of a misinterpretation of your initial statement. Goes to show a good rule for anything is don't speculate, investigate everything thuroughly and then provide a complete report. I took your initial response as saying don't tell the boss anything that he doesn't directly ask for, which I now see was just an error in my interpretation.

  3. #23
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hmmm,

    Normally you would want an "audit room" so people cannot see or hear what you are doing.

    A direct line telephone (beware of mobiles, a scanner can pick them up) and your own printer and somewhere secure to keep your documentation , or take it away with you.

    You need to clarify your "terms of reference" with your boss up front. The normal practice is that you do the investigation, report back to your boss, and your boss will then report to the client, with you present for detail if required. You must get a budget/timescale for the job as well, which would normally get approval by the client before you start.

    There is a need for quality assurance (and a$$ covering ) in that your boss will review your findings and discuss them with you. Once he is satisfied with your findings, he will go to the client..........that is his job after all? He may not be convinced, and want you to do more work.

    If you look at financial auditors you will see a clear structure and methodology. The audit staff do the work, the audit senior reviews this, the audit manager then reviews it and it finally goes to the audit partner, who reports to the client. I was once Commissaire of a Belgian company, and the auditors reported to me Of course a financial audit is more formal because there are statutory regulations involved.

    I believe that the general principles of performing a hacking investigation and a fraud investigation are identical (well at least your charge out rate goes up 4x! )

    OH, what I forgot to add to my last post is that trials of commercial versions of software tend to be fully featured, support network environments and are supported by the supplier.

  4. #24
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    You guys give me more info then I even hoped for

    I mean this in a good way.. it is good to read experiences of people who actually have been in the field as well ... and have more experience in the field of security audits.

    From what I'm reading the best practice and the way I'm gonna do this ... or as good as...

    -I'll have a meeting on neutral ground with the big guy from the firm that needs to be monitored ...
    -I need to find out why he doesn't trust his local IT-staff anymore and why he thinks there's a "port" open on his pc.
    -I'll talk him through the process of the audit (but not in too much details).
    -I'll report back to my boss and talk about the audit in detail and about the rendez vous with the big guy.
    -By then it will be time to do the actual audit ... This afternoon I heard the audit will probably be extended to a full security and network audit ...yippiee
    -I'll collect my findings ... I use my own laptop for collecting data and making the reports and always take it with me...nothing is left behind. (sometimes we use a laptop and put it on the network for a few days to collect info but this stays in a closed room with limited access if possible , also this practice is just for a network audit without the security part).
    -I report back to my boss with the necessary data and reports ...he then handles the rest with his "personal" friend.

    Anyone has anything to add ... I know it's not very detailed but you get the picture.

    Anyway many thanks to you guys for the perfect input and info.

    C.
    Back when I was a boy, we carved our own IC's out of wood.

  5. #25
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    741
    Do you think when you are finished you might consider taking the time to put together a tut on what tools you used and a generic form/presentation of the data for those parties interested? (myself included of course)

    Maybe even the steps involved in the process from the meeting to the synopsis... I would be interested in nihil putting together a tut as well as he is obviously experienced in this.
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  6. #26
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    Do you think when you are finished you might consider taking the time to put together a tut on what tools you used and a generic form/presentation of the data for those parties interested? (myself included of course)
    I might consider that ...yes

    If I can fit it in the schedule (if I have a schedule like today that would be ideal ).

    I'll try to make my report in that way I can use it as a Tutorial for AO.

    Then again I might just write it entirely different

    But it will be after the 13th of may though.

    C.
    Back when I was a boy, we carved our own IC's out of wood.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •