work political question!

[iain187]

bit of a weird situation and i thought i'd ask for some advice

in our IT dept. on my site there is 2 of us, me and my boss, in london there is the big boss.

we look after 2 networks, one is the main company network if you like, and the other is for the nurses to access clinical stuff

one of the nurses kinda voluteered to help out with the IT and update the clinical software so my boss gave him admin rights to the whole network

im not sure the big boss is aware or not, that a non-it member of staff has admin rights, albeit on a minor network

for the sake of this lets call him IT-nurse, he is not s**t hot on IT but he is ok... he came to my office today and asked questions which suggested to me he didnt know what he was doing, so firstly i was curious to what he was actually doing (he mentioned some kind of scan) but i thought id put a shortcut on his desktop to a program which would help him with his task...

when i was doing this i found a shortcut to a program called cain.exe - if you dont know it google cain and able.exe - it has lifted all the passwords out of active directory (non-it people - all the usernames and passwords basically)

i told my boss about this who has gone on holiday for 2 weeks and he said he will have a word with IT-nurse when he returns

personally i think this is not good enough and that i should tell head office boss about this as he could be lifting these passwords with intent of getting mine/my bosses passwords to use on the main company network

however points to consider are:

does the big boss know IT nurse has admin access - i might be dropping my boss in it?
i've already spoken to my boss and he might think i am snubbing him so to speak by going above him

my boss might want to keep IT nurse around because having him means less work for us but if he is this unreliable then imo he should be fired as this is gross misconduct.

the other option is i know big boss isnt in for 1 week - when he will visit me at my site - i could show him what has happened then but he might say why did you wait a week to tell me?

 

[ChrisH]

Difficult situation, can you not talk to your boss again and express your feelings? I know he's on holiday but i'm sure he'll understand, that way if the big boss questions it then at least you've already raised your concerns with him.

Can you not just remove the access from IT Nurse? Then no more damage can be done until your boss returns he can then speak to him and restore access if he's ok with IT nurses explanation

 

[iain187]

if i remove IT nurses access i'll have all sorts of non-it managers asking why i've done that, then i'd have to explain it to a lot of people.

i might be able to catch my boss depending on when he flies etc, however he is lazy and puts having an extra pair of hands as a higher priority over security so i am presuming i wont get very far, might be wrong though

 

[DMS]

If the nurse fella needs to perform some kind of admin related tasks but isn't knowledgeable enough and apears to have malicious intent, remove his admin rights immediately and use Active Directory like it was intended - delegation!
If he needs to reset passwords for example, delegate that permission to him but only for the OU's containing the users he would ever need to reset a password for.
If he needs to assign folder permissions, grant him permissions only on objects below the ones that are important, etc etc etc.

Also, if you were doing a proper job of it, you'd have some sort of software restriction policy in place preventing unauthorised executables from running on computers joined to your domain, so he'd never be able to run any form of password cracking tool in the first place.

IT Security n00bs. I s**t 'em.

 

[iain187]

my boss has given him full domain admin rights (i assume out of lazyness)

on that network all the nurses use 1 generic login so all IT-nurse was doing was setting a wallpaper with group policy to raise awareness of new software they were getting!!

my boss should have just done that for him, it's pure lazyness!!



we have all those software restrictions in place which is part of the problem in going to big boss - is big boss aware my boss let IT nurse around all these protections?


i've already seen today 'someone' logged in on the account 'administrator' - the network has no connection to the outside world, so not my boss, wasnt me because i have my own so IT nurse is using an account not intended for him - thats illegal really

but to me that is his personallity to a Tee, he just wants to be the administrator who knows all the secrets etc he isnt really intereste in much else

 

[ChrisH]

if i remove IT nurses access i'll have all sorts of non-it managers asking why i've done that, then i'd have to explain it to a lot of people.

TBH if it was a few questions being asked or a major security breach i know what i'd choose, at the end of the day it's not you thats done anything wrong, however if you just sit back and watch then you could be in the s**t, having said that theres no proof that IT nurse has actually done anything wrong yet, although surely you have some sort of acceptable use policy / IT security policy that would ban him from even having those sort of files on his profile?!?

 

[iain187]

TBH if it was a few questions being asked or a major security breach i know what i'd choose, at the end of the day it's not you thats done anything wrong, however if you just sit back and watch then you could be in the s**t, having said that theres no proof that IT nurse has actually done anything wrong yet, although surely you have some sort of acceptable use policy / IT security policy that would ban him from even having those sort of files on his profile?!?

yes but im not sure heh.

he puts on his email 'clinical IT lead' and im not sure if this is his official job or if the healthcare manager and my manager are happy for him to take workload off them

so yes the IT policies should apply to them but has my boss voided them by giving him admin access

he has still had to have brought in that software on a cd as the network has no physical internet connection which is illegal in our place

 

[ChrisH]

Are you allowed to bring in software on CD without authorisation? I can only assume the answer is no lol, very short sighted of your boss if he's voided the IT security policy for IT nurse.

Can't you speak to the healthcare manager as if that's IT nurses (can we find a different name for him) boss surely he should no what his current job spec is!

 

[iain187]

Are you allowed to bring in software on CD without authorisation? I can only assume the answer is no lol, very short sighted of your boss if he's voided the IT security policy for IT nurse.

Can't you speak to the healthcare manager as if that's IT nurses (can we find a different name for him) boss surely he should no what his current job spec is!

very much a no, the nurse should have given the CD to me or my boss to 'sign off' and we would install it on the network. because my boss gave him admin rights, he has snuck a Cd in himself and installed it himself.

i probably want to keep this within IT until i know what outcome i'm aiming for i think. dont reallly know what is going to happen when this comes to light.

 

[ChrisH]

So it's at least misconduct, most probably gross misconduct, personally i think the longer you keep it to yourself the more compromised your position is.

If this was a normal user what would you do? I think you'll have your answer then, its made more difficult because you don't want to risk dropping your boss in it, are you sure he'd do the same for you!

 

[Revels]

Can you not email big boss and then accidentally drop it into the convo?

 

[iain187]

So it's at least misconduct, most probably gross misconduct, personally i think the longer you keep it to yourself the more compromised your position is.

If this was a normal user what would you do? I think you'll have your answer then, its made more difficult because you don't want to risk dropping your boss in it, are you sure he'd do the same for you!

i think he'd protect me which is why i wouldnt want to go to other managers hastily.

if my boss says that the big boss knows this guy has admin access i'll defo tell him because then it's not my bosses fault for giving too much access

to be fair my boss doesn't want my job but i want his at some point

Can you not email big boss and then accidentally drop it into the convo?

big boss is visiting in a week before my boss comes back, ill probably show him then

he has just done a 'ethical hacking' course, be a nice test of his new knowledge hah

 

[ChrisR]

That'd probably be dismissal for gross misconduct at my place as you've just totally gone against anything you've signed with regards to computer user guidelines and/or a seperate document about use of any admin privileges you are given.

If I were you I'd be removing his access and changing any system passwords he's got at.

Then wait and speak to your immediate boss first, but if he blows it off I'd then go to the next guy.

And teach your bosses about only giving people the permissions they need to do the job, not blanket perms to do what the hell they like! What could this non it member of staff possibly need to do that requires domain admin rights!

Also for something like cain most AV solutions will go nuts when it finds that, unless you've got an exception for it on the network?

IT Security n00bs. I s**t 'em.

+1

 

[SC03OTT]

By leaving it, there is only one possible outcome. You will get shafted.

 

[PinkoCommie]

on that network all the nurses use 1 generic login so all IT-nurse was doing was setting a wallpaper with group policy to raise awareness of new software they were getting!!

my boss should have just done that for him, it's pure lazyness!!

BAD IT ADMIN!:nono:

Security rule 1 - never share passwords!

Your boss sounds like he doesn't care and/or has no clue about IT security, I would find yourself a new job and avoid the fallout when something eventually goes horribly wrong.

edit: He was using Cain, do you not have AV software? I suspect that Cain would ring all sort of alarm bells as "malicious"

 

[iain187]

i scanned it today and it didn't detect it. it's anti virus provided by an outside organisation i think and perhaps IT nurse has managed to get it on the exceptions list

however in some old logs i did find that the anti virus picked up some keygens in his folder that will go in my evidence pile!


i emailed my boss to say look i need to tell big boss and he said yeah ok - i think i started a major panic but at least i washed my hands clean in writing.


imo my boss knows enough about security to know better, infact i think his technical knowledge is probably more sound than the big boss but he is just very lazy and the fact this nurse meant less work for him....

 

[ChrisH]

i scanned it today and it didn't detect it. it's anti virus provided by an outside organisation i think and perhaps IT nurse has managed to get it on the exceptions list

however in some old logs i did find that the anti virus picked up some keygens in his folder that will go in my evidence pile!


i emailed my boss to say look i need to tell big boss and he said yeah ok - i think i started a major panic but at least i washed my hands clean in writing.


imo my boss knows enough about security to know better, infact i think his technical knowledge is probably more sound than the big boss but he is just very lazy and the fact this nurse meant less work for him....

At least it's sorted from your point of view now, you saw it and reported it, so that should prevent you from getting into any s**t, don't think your boss will be making the same mistakes again somehow.

 

[ChrisR]

however in some old logs i did find that the anti virus picked up some keygens in his folder that will go in my evidence pile!

Weirdly enough I had an exam question on an MS provided practice exam on keygens and in MS's eye anyway they are ok to use! I can't remember the exact wording, will have to dig it out.

All they provide you with is a means to install the software, from a licensing point of view they really don't give a toss, or something along those lines.

The answer wasn't what I was expecting tbh.

Might well be different for other manufacturers.

 

[iain187]

At least it's sorted from your point of view now, you saw it and reported it, so that should prevent you from getting into any s**t, don't think your boss will be making the same mistakes again somehow.

Feel a bit bad on the boss but you gotta do what you gotta do!

 

[ChrisH]

Yep, sure he'll understand! If not then jobsite it is!

 

[iain187]

this got investigated this week... looks like we will be rebuilding the network to ensure everything is gone, we have found so much evidence of registry hacks we are not exactly sure the extent of whats been done etc so better to just reimage 20 pcs and 'upgrade' a server to clean it out is the opinion coming down from the big boss.


a report has been handed to the hax0rs line manager who will submit it to the director of the site who will decide what to do in a discaplinary etc. [sp ]


since this report has been in the hands of managers at my place a couple of managers have gone 'oh iain, was it you that found this, well done! Is your boss going to be in trouble though??'

i dont know what the report says but more than one person has said that to me so this week will be interesting.

 

[ChrisR]

Sounds like it's all good for you then, which is the important thing

Get yourself a decent image for the machines, shouldn't take long.

Make sure your gpos that apply to user accounts are sufficiently configured so that things are locked down properly if not already.

Then pushing it out to all those machines, that's another 5 minutes, easy life

A lot of places neglect the build process, deaming it lesser/s**t work and not bothering, but getting it right (and 'right' is different depending on your needs) makes everyone's life so much easier.

 

[Magic Johnson]

LOL @ the catalogue of I.T security errors in this thread. MEGAFAIL.

 

[iain187]

Sounds like it's all good for you then, which is the important thing

Get yourself a decent image for the machines, shouldn't take long.

Make sure your gpos that apply to user accounts are sufficiently configured so that things are locked down properly if not already.

Then pushing it out to all those machines, that's another 5 minutes, easy life

A lot of places neglect the build process, deaming it lesser/s**t work and not bothering, but getting it right (and 'right' is different depending on your needs) makes everyone's life so much easier.

well this is already in place in our email network, it will be so easy to answer the question 'how do we stop this happening again' by saying we 'copy and paste' (so to speak) all the security settings etc over


the problem will be when management ask 'how did it happen in the first place' and my boss has to explain 'the guy said he could do it so we gave him access and left him to it'

hey ho

 

[Macester]

lmao@using cain, legend. your boss seems abit of tool, just handing over full admin rights like that, socially engineered tbh.

you've covered your back now anyway so nothing to worry about.

 

[iain187]

social engineering would be a bit extreme lol but i know what you are getting at.

i am morbidly looking forward to wednesday when my boss comes back.

 

[Cookie]

If it were my network, I'd have gone straight to HR with proof of his hax0ring and seen to it he was sacked on the spot

Mmmm gross misconduct

 

[iain187]

we had to play it a bit careful.

there is a code of connection and if we scared the people in charge of that the company would be screwed

otherwise exactly

 

[ChrisR]

If it were my network, I'd have gone straight to HR with proof of his hax0ring and seen to it he was sacked on the spot

Mmmm gross misconduct

Don't lie, first you'd go and call them a c**t, then go to HR

 

[ChrisH]

Good to see it's all sorted and seems to have worked out pretty well for you

 

[Cookie]

Don't lie, first you'd go and call them a c**t, then go to HR

PMSL

If I'm being honest I'd drag them out of the building first and then tell HR what I'd done

 

[iain187]

now that sounds like what we did haha apparently HR only got involved today :S