Sunday, February 12, 2006

What do you do when...??

Sometimes you find yourself in one of those situations, where the customer calls you and wants to know:
  • Who copied or modified a file, or
  • Who created or modified a user account
When you get on-site, you find that the system in question had no auditing enabled, that the admins use a group account (and they all use the password) for administration functions, and that there are simply no protections in place at all.

So, what do you do? After all, if it wasn't important, the customer wouldn't have called you, right? What do you tell them?


Anonymous said...

I have been in a similar situation and I ended up telling the FSO he was out of luck because he and his IT department had no controls established. They had to let it go and start over with new controls in place.

I had the same told to me by a very pricey investigator once. We changed our policies and procedures in a hurry.

It is okay to say no. Does the customer really want you to blow smoke?

Keydet89 said...

Not so much "blow smoke", as I fully agree that you should be straight with the customer.

However, are there things that you can do or look for that might give you some indication, or provide something for the customer? For example, Registry keys that contain listings of applications run on the system?

Anonymous said...

You take the time to educate the customer on why it is important to have controls in place. Use this as an example. Enable the settings on a test box, and then show them what you could have done if they followed the best practice.

CP said...

There are two parts to this problem:

1. Educate the customer about proper account management, security controls, and auditing.

2. Attempt to develop the information requested by the customer.

There are still some options to explore with regards to answering the customer's question. A timeline analysis can reveal what type of activity occurred in the same time block as the modified files or account modification. Some of this activity may be possibly linked to a particular user based on the significance of the activity, such as user authentication to websites, email communications, etc. Also, did the users all gain access to the box via physical means, or are there ssh logs that can idenfity unique users by IP address and compare against the timeline?

And, of course, the conclusion, findings, and recommendations should include how to tighten the controls to prevent future similar circumstances.