I'm facing a tough situation with an older IT technician who's been with the company for over 20 years. When I joined, he was on a long sick leave, but upon his return, he started going through old CDs. I didn't think much of it at first, but one of the CDs contained a malware called mimikatz, which raised alarms and led our SOC team to investigate. When I asked him about it, he claimed he had no idea malware was on the CD. After another employee verified the contents, we found that mimikatz was indeed the only harmful item among various files.
Now, things have escalated: he has a honeytoken flagged, has basic malware, and a keygen cracking tool on his PC. Although we did a full virus scan, it only showed a VBS script, making me wonder if he deleted the other files first or intentionally planted the script as a distraction. I really suspect poor work ethics—this isn't 2002 anymore—but I'm also puzzled about whether there's malicious intent behind his actions. How should I approach reviewing this situation with him, and what specific questions should I ask to dig deeper?
5 Answers
Before you talk to him, back up his PC in case you need it for later investigation. I suggest wiping the machine to prevent any further issues and having a serious talk about the risks of executing unknown files. If anything is found malicious, it should be escalated to HR to handle appropriately.
Honestly, consider that this guy may not even realize how serious this all is. If there are monitoring signs of malware and ongoing issues, you might need to prepare to take away his access while you investigate further. Get to the bottom of this before making any accusations.
I’ve run into similar situations, and I think this employee is probably just not up-to-date with current cybersecurity practices. Instead of 'interrogating' him, why not just ask him to explain the situation? That could reveal whether he really has the knowledge—or lack of it—that you're concerned about. Maybe bringing in an observer could help too.
It sounds like you're in a tricky spot! First, check your company's run book for guidance on handling situations like this. If there’s no clear policy, make sure to create one! It's not just about this employee; it’s about preventing future issues too.
If you're still unsure whether he’s malicious or just negligent, you need to treat the computer as infected until proven otherwise. Keep an eye on his activity and follow company policy when it comes to dealing with this type of risk.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures