Strange foolery by general end user - SysAdmin opinions welcome

[jp2943F]

At the company where I work in an IT role, we have notifications set up to send if anyone pings our gateway or anything from 192.168.1.1-5, for that matter. Anyway, I get a notification that user at x machine is pinging several of our LAN internal numbers. I immediately pick up the phone and dial the user. I'll leave the conversation below. I think it's very odd. How do you handle the situation from a security standpoint and/or managerial standpoint?


Do you need help with something?

I was trying to pull up the home…the ugh… our website. I typed in 192.168.1.1 and it started spinning on me so I typed in point 1 then point 2 and then 3 then 4 then 5

What did you need to do?

I was just pulling up the main service...our website… was going to our sales/support link to see what we had listed.

You went to our website by IP address?

I always type it in to go to our home website.

It looks like you are looking at basic router settings at the same time, in a browser (at this point I’m screenconnected into their PC for security reasons, we both can see what they have pulled up)

Im trying to find out how to find “home settings”. I’m just trying to figure out… I gotta do something different at home. I gotta change up my settings and stuff. I’ll give you a buzz when I get to that point.

Let me know if you need any help...click.

 

[beers]

Curious what they were trying to circumvent or discover from poking around, in that described scenario. Can't say that I've ever seen someone care about alerting on a service that doesn't exist, outside of pulling stats off of a honeypot (and even then it's a collect and aggregate situation as opposed to trigger and escalate). ICMP alerting would probably drive you mad after a while for apps that use those for health checking.

Most of the time you can get someone to indicate their intent by being perceived to be on 'their side' for whatever 'stupid IT' rule they happen to disagree with. Having a user space that overlaps with just about every home network is usually kind of a poor idea with a substantial remote workforce. Do you happen to work at REMC?

 

[jp2943F]

This is more of a collect/agg situation, and the service was filtered to only pickup other devices on our LAN...in other words customized in order to not get bombarded. What is REMC?

 

[beers]

Your WAN AS seemed oddly specific so was curious.

Other than maybe cross-referencing some behavior for them I wouldn't worry about it too much, unless you see sites/behavior that would obviously be vulnerability vectors. I'm pretty lax personally though and usually do things like force a bad actor's link down to 10/half or force their minimum ring volume to be their maximum ring volume. If you do it with just enough subtlety they get mega paranoid.