Re: Removing FIred admins

[Benjamin Schweizer <besh () gmx net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Volker Tanger wrote:

| If you have to assume being compromised, re-install and
| re-configure all your systems starting from scratch and clean media
|  (boot from CD, partition harddisc, format HD, install base system,
|  ...) - and start with your most (business) critical systems. Have
| this done by an admin you trust.

Keep in mind that the "retired" admin knows all weaknesses, he knows
if there is an ids, insecure protocols, what system compromises hurt
most, he knows the social network and, may be he knows how to get
phsyical access... paranoia?

I think you need to do some risk management. There are some steps to
keep in mind (from a security-point of view), I'd follow this order:

1. change the logins
2. ensure that he has no more physical access
3. inform his colleques (protect against social engineering)
4. check your logs / increase the log level / install additional ids
5. reinstall the affected systems from scratch (run an audit if not
possible)
6. fix security holes that he could/should know
7. ensure that your other admins are upright (be fair)
8. watch your competitors if he sold information
9. break his password, if you have no access to your data
10. prepare for the future

You should ask yourself the questions "how much can it cost in the
worst case?", "will we survive it?" and "is that realistic?". Costs
vs. security.



regards

- --
http://www.redsheep.de/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFALPMs4Lmwv7NFcKMRAmbTAJ9xe4CAYog7oVonsoZjMnzDfa8axgCgzB+I
MrAZ860jkPt8C15iBleH2/I=
=cCzI
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html