Let me start by saying I am always interested in finding new techniques. So if you have a way to resolve this problem I had today please drop me a note at secauditor(at)bigstring.com. Thanks!
Most of the time when an incident happens auditors or incident handlers are called in to try to track down the facts to prove something has happened. Today was an exception; I was called in to investigate improper use of corporate assets. Apparently the IT department was suspected of utilizing internal resources to host personal sites.
A board member for a company that I contract to, is also an IT person (with a different organization) for his full time position, was sure that the IT group was messing with the corporate DNS (CompanyA.com) . When it was pointed out that the IP address associated with the CompanyX.com belonged to a different carrier he changed his tune and began to claim that the IT group was routing that IP address over to CompanyA’s firewall. It was then that I had to point out that the CompanyA’s ISP did not have a peering agreement with CompanyX’s ISP so there was no way the IP address could pass between those two networks. Finally, a review of the DNS entries showed that changes had not been made in close to 2 years.
It amazes me how at times intelligent people are blind to the facts around them even after explaining it back to them. The board member is still scratching his head.
