Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

So.. Are all of the bad guys really on the outside?

Published: 2008-01-25
Last Updated: 2008-01-26 00:29:06 UTC
by Deborah Hale (Version: 1)
0 comment(s)

Today Fox News reported that a 41 year Jacksonville, FL women who thinking that she was about to be replaced, deleted 7 years of drawings, blueprints and other files from her employers server. Estimated damage $2.5 million. The company owner said that they managed to recover the files by using an expensive data recovery service.

 www.foxnews.com/story/0,2933,325285,00.html

Today USAToday reported that a cable company accidentally deleted the inboxes, archives and files for about 14,000 of their customers.  They said that it was a software glitch, “That's because, a spokeswoman says, the company set out to delete inactive e-mail accounts, but ended up destroying thousands of active ones, too.”

 blogs.usatoday.com/ondeadline/2008/01/oops-cable-comp.html

As I read both of these stories I have to ask myself, “Where were the backups?” In the first story, they had 7 years worth of data, as they indicate $2.5 million worth, why on earth would they not have a backup?  What if it had been a drive failure that took out the drive instead of an employee purposely taking it out?  What would they have done then? And in the case of the cable company, even if you don’t routinely backup the mail boxes, when doing maintenance such as this one, best practice is, “BACK IT UP”.  When doing any type of maintenance my experience says “Murphy’s Law Prevails”. 

A little while ago I got a phone call from a friend of mine. They own a small business and have one computer in the shop that contains all of their customer records, financials, and receivables. I setup a backup for them and it was set to run every night after the shop closed. She called and said that when she turned the computer on this morning it won’t load Windows, it says “insert system disk”. I explained to her that it sounded like the hard drive had failed, that we would have to replace the hard drive and then restore from the last backup.  She said “well, that may be a problem”. I asked her why and her reply was “well, we needed some space on the computer table to layout some papers, so I unhooked the backup drive and forgot to plug it back in.  Guess what, she wants to know if I can help get the data back…. 

So, all three of these “loss of data” situations were caused by insider errors.  One accidental, one on purpose and one…. Well, let’s not go there…

Another situation that popped up in the last couple of weeks was also caused by an insider.  Not on purpose but none the less it happened. I monitor the IP addresses that we “own” for any suspicious activity in an attempt to prevent us from getting blacklisted.  I noticed on both of the web sites that I check that one IP address was doing a lot of mailing.  I knew that this IP address belonged to a local financial institution and I knew that they did not have a mail server at that IP address. I contacted the admin for the site and told him to take a look at his firewall logs and see if he saw anything unusual. He called me back a short time later and said that there definitely was something going on and he was going to track down the offending machine and give me a call back.  About an hour later he indeed did call and tell me that he had found the problem. Someone from the outside had brought in a laptop and plugged it into their network.  Now this was not intended to be malicious, the admin knew that the laptop was to be plugged in and he really didn’t think that there would be a problem because…. Are you ready for it…. It was the company that was hired to come in and Audit the financial institutions records. You got it an; auditor had a compromised computer. He said that the auditor commented to him when they told him what his laptop was doing “Geez, you know that explains it, I thought this thing was awfully slow lately”.

Therefore, I again say “The bad guys aren’t always on the outside”.

 

Thanks to one of our reader's Dan Jones I am updating the diary with a link to an incredible piece of wisdom. 

taobackup.com/

 

Keywords:
0 comment(s)
Diary Archives