My First Security Incident

It would have been 1993, most likely the summer. There I was, working my first job which was Desktop Support at a Life & Pensions company in Reading, England.

Background

The building I was focused on had 7 floors and there was a round-robin refurbishment going on; each floor was refloored, new desks put in and those who had computers had them reinstalled on the desks – by my team.

The process we had when doing so was as follows:

  • reinstall the computer (most were not networked!) and screen tidily
  • update the antivirus (we had to do this with floppies because the capabilities were not there)
  • check the computer for errors, free space and general health

The Incident

One of the computers we reinstalled came up showing a lack of disk space. Bear in mind the drives were likely 20Mb or so, they were still generous in those days.

We investigated the reason for the lack of free space and stumbled across a large number of pornographic images.

This was pre-Internet times where access to online resources was via services like CompuServe – coupled with a per-minute cost of being connected. Software updates were something we got in a box, on floppy drives (basically in the form of a newer version).

There was lots of porn on the drive, it took us many floppies to duplicate the images (naked ladies) for evidence. Naturally, we escalated the presence of porn on a corporate device to management and withdrew the computer from its location and to our area. Escalation included showing the images in-place to management who were present as a form of evidence.

Unfortunately, the person with the key to our secure storeroom was not in the office and we had to leave the computer in our office space until Monday.

The aftermath

On the following Monday, we found the computer had been taken by its “owner” and was upstairs, installed and running. It was also devoid of the image files – or so he thought.

In managing the incident, we brought out our forensic tooling, Norton UNERASE from Norton Computing/Symantec. Not long later, many files were being UNERASEd on the drive and the accused was invited to meet with his manager and HR. He was fired that day.

What We Learned from the Incident

Back in those days, we did not have incident response processes planned. Not every desk had a computer, not every person and their job actually needed a computer (can you imagine that today?).

We. as a technical team, stumbled through the process with best-effort and intuition. We contained the incident, collected evidence, escalated and (tried to preserve) the evidence. When the accused attempted to destroy the evidence, our state-of-the-art forensic tooling saved the day.

I’d consider this a minor incident but it was detected using some best-practice processes for the time. Central management of the assets was not really possible so we manually executed a Runbook. What I did not know at the time was that this incident would steer me towards a CISO role – which I enjoy immensely!