Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Handling Sysads resignation/termination
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa () pacbell net>
Date: Tue, 02 Aug 2005 23:13:48 -0700

"Oh but to flatten and nuke we'd need better backups. We can't do that." is the response you'd get then. But indeed that would be the only way.

I'm nuking a workstation.. a mere workstation after a malware infestation and you'd think I was commiting a cardinal sin or something. 'What? You want to flatten it?

Thor (Hammer of God) wrote:


----- Original Message ----- From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa () pacbell net>
To: "Irvin Temp" <znah_irvin () yahoo com>
Cc: <pen-test () securityfocus com>
Sent: Tuesday, August 02, 2005 5:39 PM
Subject: Re: Handling Sysads resignation/termination

What's he going to do? Say yes? Then what?

Anyone else besides me thinking of a employment leaving documentation poured over by Attorneys where he/she has to sign something to the effect?

That won't do any good... For one, the admin is out-- what is the consequence of saying "no" to signing the document? And what if he does sign it? How can the company prove, even in the existence of some Trojan, that the exiting admin is responsible for its presence? Setting up a "fall guy for a failing business" is as likely as "malicious actions of an exiting admin" in the eyes of the law (when represented by competent council). In fact, "duress" in this case could be very easily substantiated (if you said something like he had to sign to get his last check, etc.)

I wouldn't want you to certify that ....that's asking a bit much on your part I think. I think you, your HR department and your firm's Attorneys need to sit down and discuss an action plan.

Normally for anyone who isn't a sysadmin the termination process involved revoking accounts, keys, devices, changing locks etc etc...

It's really a moot point-- for it simply cannot be "certified" to begin with. It is totally impossible to certify what he did or didn't do. If concern is there, the only real way of gaining any secure posture is to nuke the entire network and rebuild it. And that only addresses the technical aspects of it: if I left Anchor today, and they totally rebuilt everything to protect against me, I could call any one of dozens of people and ask them for their username and password and they would give it to me.

You can't protect yourself against the actions of one in a trusted position if they choose to break the law. You have but the law to protect you once the breech of trust has taken place.

Check out Steve Riley on this topic...


   Do you trust your administrators? That seemingly innocent question
   creates a serious dilemma in the minds of a lot of people. While we
   all know what we’d /like/ the answer to be, the disappointing fact
   is that, increasingly, the true answer is the opposite. This became
   apparent in discussions I had with many attendees at TechEd US in
   May—there is genuine concern about the trustworthiness of

I've worked with Steve before, and I like him. Pretty damn smart dude. But his opinion piece here is a bit hyperbolic. The story of the logic bomb paints a vivid picture of anxious exposure, but if the guy is going to plant a logic bomb, he could also plant a real bomb. You know, the "boom" kind.

While the advise of background checking and least privilege is valuable, it is also a bit obvious. It all comes down to the cost of doing business, and the level at which you must trust someone in order for that business to be conducted. You can spend a million dollars a year in background checks, threat level testing and physiological profiling, but it doesn't matter that much when some vendor's cleaning crew has the same physical access as your admin. Case at point: We had to fire an employee who had access to our operational systems (as his job required.) The termination wasn't pretty, as he turned out to be a bit freaky. A few months later, we had physical issues with our ADT alarm system that required on-site service. Guess who showed up to fix them?

This is not a tech issue. It is a people issue, and as long as people trust other people, it always will be. Of course there are extreme examples of distributed trust models that work (a sysop in a nuke sub, for example) but in the "real world" where we all live, my experience is that any measure of real value taken to mitigate the risk associated with the threat of a malicious admin's actions ends up costing more than the resource we seek to protect in the first place. Otherwise, the merit of the asset's value would have dictated that measures already be in place when the dude was initially hired.

This is just another example of an "oh shit, what do we do now?" question that was asked too late.


FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]