mailing list archives
Re: Handling Sysads resignation/termination
From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Tue, 2 Aug 2005 23:09:26 -0700
----- Original Message -----
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
<sbradcpa () pacbell net>
To: "Irvin Temp" <znah_irvin () yahoo com>
Cc: <pen-test () securityfocus com>
Sent: Tuesday, August 02, 2005 5:39 PM
Subject: Re: Handling Sysads resignation/termination
What's he going to do? Say yes? Then what?
Anyone else besides me thinking of a employment leaving documentation
poured over by Attorneys where he/she has to sign something to the effect?
That won't do any good... For one, the admin is out-- what is the
consequence of saying "no" to signing the document? And what if he does
sign it? How can the company prove, even in the existence of some Trojan,
that the exiting admin is responsible for its presence? Setting up a "fall
guy for a failing business" is as likely as "malicious actions of an exiting
admin" in the eyes of the law (when represented by competent council). In
fact, "duress" in this case could be very easily substantiated (if you said
something like he had to sign to get his last check, etc.)
I wouldn't want you to certify that ....that's asking a bit much on your
part I think. I think you, your HR department and your firm's Attorneys
need to sit down and discuss an action plan.
Normally for anyone who isn't a sysadmin the termination process involved
revoking accounts, keys, devices, changing locks etc etc...
It's really a moot point-- for it simply cannot be "certified" to begin
with. It is totally impossible to certify what he did or didn't do. If
concern is there, the only real way of gaining any secure posture is to nuke
the entire network and rebuild it. And that only addresses the technical
aspects of it: if I left Anchor today, and they totally rebuilt everything
to protect against me, I could call any one of dozens of people and ask them
for their username and password and they would give it to me.
You can't protect yourself against the actions of one in a trusted position
if they choose to break the law. You have but the law to protect you once
the breech of trust has taken place.
Check out Steve Riley on this topic...
Do you trust your administrators? That seemingly innocent question
creates a serious dilemma in the minds of a lot of people. While we
all know what we’d /like/ the answer to be, the disappointing fact
is that, increasingly, the true answer is the opposite. This became
apparent in discussions I had with many attendees at TechEd US in
May—there is genuine concern about the trustworthiness of
I've worked with Steve before, and I like him. Pretty damn smart dude. But
his opinion piece here is a bit hyperbolic. The story of the logic bomb
paints a vivid picture of anxious exposure, but if the guy is going to plant
a logic bomb, he could also plant a real bomb. You know, the "boom" kind.
While the advise of background checking and least privilege is valuable, it
is also a bit obvious. It all comes down to the cost of doing business, and
the level at which you must trust someone in order for that business to be
conducted. You can spend a million dollars a year in background checks,
threat level testing and physiological profiling, but it doesn't matter that
much when some vendor's cleaning crew has the same physical access as your
admin. Case at point: We had to fire an employee who had access to our
operational systems (as his job required.) The termination wasn't pretty,
as he turned out to be a bit freaky. A few months later, we had physical
issues with our ADT alarm system that required on-site service. Guess who
showed up to fix them?
This is not a tech issue. It is a people issue, and as long as people trust
other people, it always will be. Of course there are extreme examples of
distributed trust models that work (a sysop in a nuke sub, for example) but
in the "real world" where we all live, my experience is that any measure of
real value taken to mitigate the risk associated with the threat of a
malicious admin's actions ends up costing more than the resource we seek to
protect in the first place. Otherwise, the merit of the asset's value would
have dictated that measures already be in place when the dude was initially
This is just another example of an "oh shit, what do we do now?" question
that was asked too late.
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't
Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:
RE: Handling Sysads resignation/termination Michael Starr (Aug 03)