mailing list archives
Re: Handling Sysads resignation/termination
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa () pacbell net>
Date: Tue, 02 Aug 2005 23:13:48 -0700
"Oh but to flatten and nuke we'd need better backups. We can't do
that." is the response you'd get then. But indeed that would be the
I'm nuking a workstation.. a mere workstation after a malware
infestation and you'd think I was commiting a cardinal sin or
something. 'What? You want to flatten it?
Thor (Hammer of God) wrote:
----- Original Message ----- From: "Susan Bradley, CPA aka Ebitz - SBS
Rocks [MVP]" <sbradcpa () pacbell net>
To: "Irvin Temp" <znah_irvin () yahoo com>
Cc: <pen-test () securityfocus com>
Sent: Tuesday, August 02, 2005 5:39 PM
Subject: Re: Handling Sysads resignation/termination
What's he going to do? Say yes? Then what?
Anyone else besides me thinking of a employment leaving documentation
poured over by Attorneys where he/she has to sign something to the
That won't do any good... For one, the admin is out-- what is the
consequence of saying "no" to signing the document? And what if he
does sign it? How can the company prove, even in the existence of
some Trojan, that the exiting admin is responsible for its presence?
Setting up a "fall guy for a failing business" is as likely as
"malicious actions of an exiting admin" in the eyes of the law (when
represented by competent council). In fact, "duress" in this case
could be very easily substantiated (if you said something like he had
to sign to get his last check, etc.)
I wouldn't want you to certify that ....that's asking a bit much on
your part I think. I think you, your HR department and your firm's
Attorneys need to sit down and discuss an action plan.
Normally for anyone who isn't a sysadmin the termination process
involved revoking accounts, keys, devices, changing locks etc etc...
It's really a moot point-- for it simply cannot be "certified" to
begin with. It is totally impossible to certify what he did or didn't
do. If concern is there, the only real way of gaining any secure
posture is to nuke the entire network and rebuild it. And that only
addresses the technical aspects of it: if I left Anchor today, and
they totally rebuilt everything to protect against me, I could call
any one of dozens of people and ask them for their username and
password and they would give it to me.
You can't protect yourself against the actions of one in a trusted
position if they choose to break the law. You have but the law to
protect you once the breech of trust has taken place.
Check out Steve Riley on this topic...
Do you trust your administrators? That seemingly innocent question
creates a serious dilemma in the minds of a lot of people. While we
all know what we’d /like/ the answer to be, the disappointing fact
is that, increasingly, the true answer is the opposite. This became
apparent in discussions I had with many attendees at TechEd US in
May—there is genuine concern about the trustworthiness of
I've worked with Steve before, and I like him. Pretty damn smart
dude. But his opinion piece here is a bit hyperbolic. The story of
the logic bomb paints a vivid picture of anxious exposure, but if the
guy is going to plant a logic bomb, he could also plant a real bomb.
You know, the "boom" kind.
While the advise of background checking and least privilege is
valuable, it is also a bit obvious. It all comes down to the cost of
doing business, and the level at which you must trust someone in order
for that business to be conducted. You can spend a million dollars a
year in background checks, threat level testing and physiological
profiling, but it doesn't matter that much when some vendor's cleaning
crew has the same physical access as your admin. Case at point: We
had to fire an employee who had access to our operational systems (as
his job required.) The termination wasn't pretty, as he turned out to
be a bit freaky. A few months later, we had physical issues with our
ADT alarm system that required on-site service. Guess who showed up
to fix them?
This is not a tech issue. It is a people issue, and as long as people
trust other people, it always will be. Of course there are extreme
examples of distributed trust models that work (a sysop in a nuke sub,
for example) but in the "real world" where we all live, my experience
is that any measure of real value taken to mitigate the risk
associated with the threat of a malicious admin's actions ends up
costing more than the resource we seek to protect in the first place.
Otherwise, the merit of the asset's value would have dictated that
measures already be in place when the dude was initially hired.
This is just another example of an "oh shit, what do we do now?"
question that was asked too late.
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't
Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:
RE: Handling Sysads resignation/termination Michael Starr (Aug 03)
Re: Handling Sysads resignation/termination Irvin Temp (Aug 04)