I can see such stories happening; most systems are automated nowadays – meaning they don’t require maintenance to work. As such, if you ignore security you’ll end up in situation were administrators leave and new ones are employed, and systems that do not cause any issues get forgotten.

If existent systems are forgotten I think we can safely assume there is no way such companies will realize why foreign hardware is introduced, be it key loggers or wireless access points.

A story comes to mind in which a post office suffered a break-in; an investigation found nothing missing, in fact there was an access point added! Investigators then found out this access point was meant to capture transactions and steal financial data.

I cannot stress enough how important it is for an administrator to know exactly what hardware there is on his/her network!

I was really shocked by the fact that you can be totally ignorant about the devices in your network but after I spent some more time with the company and saw much more shocking things, this experience didn’t look that shocking any more.

Companies that are looking for more ways to save more financial resources should look into network auditing.

Regarding monitoring of rogue laptops or other devices that might be connected for a brief time to the network and subsequently disconnected, scheduled base scanning can be a bit tricky as the scheduled scan needs to execute at a time when the rogue device is connected to the network.

However there are options; you could run an scanner that continuously monitors arp traffic and reports new mac addresses or, even though less reliable, you can monitor the dhcp leases.

@ Freddie James, I couldn’t agree more about baselines… but I wonder if running the baseline comparison during the week would be better (than on Friday evening) as any rouge laptops etc will most likely be taken away at the weekend.