Questions for the victim:

1. Who has been notified of the intrusion?

Is the security division of the local telephone company aware of the intrusion?

If the intruder is using the Internet, who is the victim's local Internet service provider? Is that provider aware of the intrusion?

2. Information about the computer system:

What type of computer or computer system was accessed without authorization?

Is the computer used:

as a PBX?

for voicemail?

to store proprietary information?

3. Telephone connections:

Is the computer connected to external phone lines? What are the numbers for each of those lines?

Who is able to dial in on the line(s) used by the intruder?

Are those lines reserved for maintenance or other use which is not companywide? If reserved for maintenance, determine whether the intrusion is part of normal maintenance activity.

4. Computer security measures in place before the intrusion:

Does the system require a "log-on" identification?

Does the system require users to enter a password?

Are there restrictions on the type of password which users may select? If the password is reasonably secure (i.e., at least six characters long), it is likely the intruder is a current or former employee, knows an employee, or has obtained the password through "social engineering" of a gullible employee.

How often is that password changed? Knowing the date on which the password was last changed may narrow your field of suspects.

Does the computer allow different levels of access? The level of access gained by the intruder may provide information about the source of your problem, particularly if the intruder is a former employee.

How does the computer record when a user logs on and off the system? Make sure that the victim configures the computer to create logs, and stores those logs off the compromised system. If they are stored on the system, they should be encrypted.

Is the computer configured to record the commands typed by the intruder?

5. Information about the intrusion.

When did the intrusion begin?

How many calls has the intruder made? A series of attempts repeated every few seconds suggests a war dialer.

Does the intruder always use the same phone line? This pattern suggests that the intruder knows only that number. If employees know more than one number, your intruder may be a cracker (or a lazy employee).

Did anyone unsuccessfully attempt to access the computer within 30 days before the first intrusion? Unsuccessful attempts suggest an intruder guessing a password or probing for a security flaw. No prior attempts suggests that the intruder is a current or former employee, or a cracker who obtained the password by social engineering or by intercepting a password sent by an authorized user.

For each access:

What was the date and time of that call?

How long did the call last?

What account(s) was/were accessed?

Who are the authorized users who have access to that account? (Some companies allocate accounts for particular work groups which anyone in that group may access.)

Interviewing the authorized user:

Warning: Interviewing a group of employees who share a password may alert any intruder who is a fellow employee to your investigation.

Determine whether the authorized user is your intruder. Does the user have a motive to misuse the computer (e.g., a departing employee stealing proprietary information)?

Ask whether the authorized user disclosed his or her password to anyone, including seemingly authorized users (i.e., social engineering), or displayed the password on scraps of paper taped to the terminal or left in an unlocked drawer.

What is the victim's theory concerning how the intruder was able to access the computer? Consider some of the common security "holes":