Posted: Tue Dec 03, 2013 1:19 am Post subject: does anyones work practice what they preach
I work in the forensics practice in one of the "big 4" companies. Recently myself and 2 colleagues decided to see if our company actually used the forensic techniques we use. A colleague of ours left her laptop unlocked to go to a meeting, we used her email to send a faked approval email to a colleague using an email in her drafts folder. It was only signing off an agenda so we thought nothing of it. We imagined that at work as we can identify suspicious mailings they would be able to identify it...we also pretended to be hackers so they would conduct a thorough investigation. She's not been at work for 3 weeks and her name has disappeared from contacts...this would indicate they don't practice what they preach. Has anyone else had a similar experience?
Originally posted Sunday December 1st.Edited Monday November 2nd
Joined: Nov 01, 2005 Posts: 551 Location: Marion, Indiana, USA
Posted: Tue Dec 03, 2013 1:35 am Post subject:
In reality, if you didn't have the approval of the company to conduct the "test", you broke several laws and could face criminal prosecution.
How did you attempt to "pretend to be hackers"?
The email would trace back to her laptop so there would be no real reason to suspect that she didn't send it.
It looks like you probably succeeded in getting her fired.
An honest person would go to the company and try to explain what you did.
Posted: Tue Dec 03, 2013 2:42 am Post subject: Re: does anyones work practice what they preach
Has anyone else had a similar experience?
Some years ago I was peripherally involved in investigating an incident in which an employee of a company was convinced her personal email was being read by someone else. The main investigations did not produce any strong leads, so at the end she came under suspicion herself, and left the company -- though there were other, and possibly stronger reasons for that.
It was a somewhat messy investigation, and didn't seem to get anywhere. It somewhat prejudiced me against CIOs leading incident investigations -- and it helped me understand that many people reach and affirm conclusions on very tenuous grounds, and are quite disinclined to explained the logical sequence of their decisions, or to go on looking for additional evidence when an apparently acceptable explanation has been reached.
I have worked with penetration testing for severeal years -- and I have learned the hard way that you never perform any tests without a means of short-circuiting all kinds of incident response that may start because of your tests. It can be extremely upsetting to everyone involved when an incident investigation gets out of hand.
An acquaintance once told of an investigation that ended up with a company manager concluding that his son had borrowed his laptop, and logged into the company network. But even when they found out that the logs that were being investigated had timestamps that were several hours out of synch, and thus that particular laptop was not involved at all, did not in any way undo the damage that was done to that family.
Forget about investigating if other people practice what they preach. Investigate your own practices instead.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum