Shark Bait

Knowledge Centers

Operating Systems

Networking & Internet

Mobile & Wireless

Security

Storage

Business Intelligence

Servers & Data Center

Computerworld Reports

Industry

See your link here

C. J. Kelly

A Day in the Life of an Information Security Officer

Why security professionals need to document everything

7 comments

IT TOPICS:Security

This story about the New Hampshire state IT employee who was put on leave pending the results of a security investigation caught my eye. The guy is speaking up because he wants his side of the story heard.

Apparently, the guy used an open source security tool called Cain & Abel during a previous security incident response situation. That investigation is documented. I think his mistake was that he left the tool on a server. Along comes the FBI and the U.S. Department of Justice who are running their own investigation; they find the tool and decide that this poor shmuck might be a bad guy.

If the guy really wanted to hide his use of the tool he would not have installed it under his own credentials. He would've installed it using a bogus account with root privileges. And it was dumb to leave the tool on the server, not to mention a security risk. I think the feds are over-reacting and if I were Douglas Oliver, I would've gone to the papers too.

A very important lesson for security professionals is learned here. There must be a formal security incident response process in place that requires sign off from management. The tools and methods used must be described. The results of the response must be documented and signed off again. In that process, there is a clean up stage. If a highly defined process had been followed, the tool would not have been left on the server.

Email this

Digg this

What People Are Saying

Add new comment

Wonder why no one is

Submitted by Anonymous on April 30, 2006 - 9:56 P.M.

Wonder why no one is addressing the fact that MS patches were available since 2003 and weren't installed until a few days this guy got suspended. Seems a valid reason right there to fire your IT Security guy.

Report this comment

Server?? What Server.

Submitted by DoD Contractor on April 5, 2006 - 10:25 A.M.

Server?? What Server. My employer has contracts with the DOD -- they have a server which I am in charge of but my managers (and the handful of government clients) are continually annoyed by the ever increasing security restrictions, requirements, and costs set forth by the DOD. SOooo, in their infinite wisdom, they've decided to "hide" the server from the network by using a cross-over ethernet cable to a PCMCIA Card slot on my laptop computer which is usually docked to the network docking station. I have all the email traffic on the matter in several locations for the inevietable day when a system scan discovers the illegal (and ill-advised) sub-net scheme and hauls me off to the security office.

Report this comment

Just remember that what

Submitted by Anonymous on April 3, 2006 - 9:55 A.M.

Just remember that what you've heard so far is what the suspended guy is saying. There may be a lot more to this than he is letting on. The people investigating the incident are not at liberty to present their side of the story until their investigation is complete and any appropriate charges are ready to be filed.

However, as someone who works for a government agency, I can see where he just might be telling the whole story. Government agencies are full of managers who know little about what they are managing. They know that IT Security is a hot topic right now, so the knee-jerk response to any perceived security incident is to find a scape goat to deflect any questions of their own competence.

Report this comment

The account of this incident

Submitted by Anonymous on March 31, 2006 - 4:40 P.M.

The account of this incident I have read don't state that the testing was over. I would say his problem was he should never have loaded Cain & Abel to the servers hard drive. The software should have been loaded on removeable media and ran from removeable media with results stored on removeable media.

Report this comment

Good point.

Submitted by Douglas Oliver on April 1, 2006 - 7:10 P.M.

Good point.

Report this comment

Not only did the employee

Submitted by SysAdmin/Babysitter on March 31, 2006 - 1:10 P.M.

Not only did the employee get 'stupid' by leaving the software tool on/in the server when the test was complete, He then proceeds to complain about his suspension.
This is the equivalent to the doctor leaving a surgical 'tool' in a patient.
There should have been on-site supervision to prevent an occurance like this.

Report this comment

SysAdmin/Babysitter... The

Submitted by Douglas Oliver on April 1, 2006 - 7:04 P.M.

SysAdmin/Babysitter...

The tool was used during P/V testing a year ago, and its presence on the server on 2/15 could've been the result of "getting stupid". I think that more likely, our cleanup process, which involved another audit team member followed by the operations team failed. Nice analogy though.

-DO

Report this comment

Spam culture, part 3: Nigeria (and 419 scams)

Los Angeles goes Google; dumps GroupWise; shuns Microsoft; ignores IBM

Your next stop ... the Password Zone

Latest threat vector: Our mobile devices

LIVE Nov 10, 2009 12:00 PM ET

Architecting Business Intelligence Applications for Change: The Open Solution

LIVE Nov 12, 2009 02:00 PM ET

The State of PCI DSS Compliance at Organizations Today
Download this resource today!

Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...

Can Heuristic Technology Help Your Company Fight Viruses?
What is Heuristic Technology and how can it help safeguard your business against viruses? Learn more.

Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.

Why Email Must Operate 24/7 and How to Make This Happen
Learn how to avoid an email outage by implementing a hosted email continuity solution.

Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!

All White Papers | All Webcasts