This seems unlikely at best by the comment attached to the negative anti-points you assigned me, on this thread.
catch
Printable View
This seems unlikely at best by the comment attached to the negative anti-points you assigned me, on this thread.
catch
P.S.
Out of curiosity, is there any way to know or detect an external keyboard logger....
catch,
I apologize, as I am just realizing what else and to whom else neg points were assigned on my behalf...
no worries...
just follow the cord back to the box, I think it is a safe bet that no TEMPEST techniques were used. ;)
catch
The external keyboard logger he used was an entire keyboard, similiar in make to one I use,,he didnt use the 3 inch external keyloggers that you attach to keyboard....
.
anyways....sorry again,,
LMFAO you got done by a 13 year old!!!!!!!!!!!!
Nightfalls_Girl
Doing an unauthorised audit of the systems can land you in trouble. If I were you I would take your boss out to lunch and have a talk with him about the security issues related to the systems. I would also work on getting him to allow you to do an audit of the systems, and possibly set up a standards document for putting up a server and minimising risk.
Beforehand it may be a good idea to collect some best practices documents (sans.org is a good place to find them) and some examples of attacks and statistics on how often they occur. Not only will you increase your knowledge of it all but it should help you prove your point a little bit better.
In the end if your boss decides against it there isn't much you can do....but I'd also try to have a document trail that at least you tried to do something about it. That way when things hit the fan you can cover your ass.
I think a good start (until you learn all you need to about security) would be to run a vulnerability scanner on it. If you have knowledge of linux, nessus is probably one of the best vulnerabilty scanners out there. If not, then you're going to pay a pretty penny for a windows based product. Several of them will give you trial periods which will be enough for you to do the job. Afterwards, they will either cease to function, of you shell out the $$ to continue using it.
GFILANguard is a decent one that will do the job and is easy to use.
ISS security scanner also has a trial.
Retna has a short tiral.
There are plenty of other useful tools for various platforms here . Its a hell of a learning experience playing with this stuff... so enjoy!
Show them an example... say setup a box of your own and secure it as much as possible and then scan that. Then scan a the other box. Show them the differences and also explain to them why it security is so important. I'm really surprised that your manager doesn't know better and isn't the one enforcing the security.
Of course you will HAVE to have permission for all this. Make sure to get it in writing too... Everyone has offered some pretty good advise... but the number one to follow has to be Juridan. Cover your ass!
Thanks again everyone,
Hopefully with the infomation I get from SANs and the results from one of those scanners should be enough...
Sorry Gunit for the return-flame since/if it wasn't really you - I thought that response seemed a bit 'childish' for an AO'er...
And I think Juridian hit the nail on the head with what I'm trying to do - I just want to 'cover my own ass' so that as things continue to break because of this guy, I hopefully won't be the one the CEO keeps going to for his complaining/yelling...
Well that, and preferably to get them to relize the problems before its to late and either this system is compromised and confidential info is stolen - or worse even, they are talking about having him setup the new systems we're getting which will become our PDC and Webserver. Since if either of those break we'll experience downtime and really have the CEO on my ass...
Thanks again,
RRP
Hi bpiedlow,
I have bin there, done that, got the T-shirt..............well almost! My experience was with a whole division of a company working with no disaster recovery/business continuity possibilities......I was told "it was too expensive so we didn't bother" :rolleyes:
I did not make out from your posts whether this server has any access outside your LAN, or whether it is connected to your general LAN, where ther is outside access. In the Defence Industry we generally have two networks.........the ordinary one, and the "secure one"..........the secure one is not connected in any way to the general network.
I do not understand about "waste of resources" if the server was sized properly in the first place, that should have included firewall and AV?
I guess that there are two approaches................the "egg" and the "bees nest" The egg has one external wall, the bees' nest has a honecomb of internal walls? Your colleague is an "egg head"? which is all very well until something goes wrong.
The fundamental problem that I have with your colleague's architecture is that it totally ignores the "enemy from within"?......if someone opens a dodgy e-mail and that server is on the network??????????? or brings in some software from a boot sale (shouldn't be able to load it but ...)
I guess the time has come to update your CV :( and distance yourself from it all.
Perhaps something along the lines of:
"Dear xxxxx,
It is with the deepest regret that I find myself having to write you this memorandum, but I feel that I have to do so in order to preserve my professional integrity and reputation...."
I hope that you follow my drift?
If you need anymore please PM or e-mail
Best of luck................I do not believe that you are jealous of an idiot :D
BTW: a 13 year old would not use TEMPEST...that's 1950's technology........he would use NONESTOP?
bpiedlow -
You may want to get a few articles from AO & other security sites that demonstrate best practice.
Do some reasearch on ISO17799 : https://www.bspsl.com/secure/iso17799software/cvm.cfm to provide evidence.
Suggest to your manager that his new 'star' is either incompetant or is deliberatly setting up you networks to be hacked (Getting a job somewhere is an excellent socail engineering trick). If you get no joy complain to your manager's boss.
Remember that what is being done is leaving your company open to attack and you as an employee have a duty of care to protect the assets of your company.
You can demonstrate what you say is true so make a fuss.
Steve