Re: Handling Sysads resignation/termination

["Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa () pacbell net>]

"Oh but to flatten and nuke we'd need better backups.  We can't do 
that." is the response you'd get then.  But indeed that would be the 
only way.

I'm nuking a workstation.. a mere workstation after a malware 
infestation and you'd think I was commiting a cardinal sin or 
something.  'What?  You want to flatten it?



Thor (Hammer of God) wrote:

> Inline:
>
> ----- Original Message ----- From: "Susan Bradley, CPA aka Ebitz - SBS 
> Rocks [MVP]" <sbradcpa () pacbell net>
> To: "Irvin Temp" <znah_irvin () yahoo com>
> Cc: <pen-test () securityfocus com>
> Sent: Tuesday, August 02, 2005 5:39 PM
> Subject: Re: Handling Sysads resignation/termination
>
>
> > What's he going to do? Say yes? Then what?
> >
> >
> > Anyone else besides me thinking of a employment leaving documentation 
> > poured over by Attorneys where he/she has to sign something to the 
> > effect?
>
>
> That won't do any good... For one, the admin is out-- what is the 
> consequence of saying "no" to signing the document?  And what if he 
> does sign it?  How can the company prove, even in the existence of 
> some Trojan, that the exiting admin is responsible for its presence?  
> Setting up a "fall guy for a failing business" is as likely as 
> "malicious actions of an exiting admin" in the eyes of the law (when 
> represented by competent council).  In fact, "duress" in this case 
> could be very easily substantiated (if you said something like he had 
> to sign to get his last check, etc.)
>
> > I wouldn't want you to certify that ....that's asking a bit much on 
> > your part I think. I think you, your HR department and your firm's 
> > Attorneys need to sit down and discuss an action plan.
> >
> > Normally for anyone who isn't a sysadmin the termination process 
> > involved revoking accounts, keys, devices, changing locks etc etc...
>
>
> It's really a moot point-- for it simply cannot be "certified" to 
> begin with.  It is totally impossible to certify what he did or didn't 
> do.  If concern is there, the only real way of gaining any secure 
> posture is to nuke the entire network and rebuild it.   And that only 
> addresses the technical aspects of it:  if I left Anchor today, and 
> they totally rebuilt everything to protect against me, I could call 
> any one of dozens of people and ask them for their username and 
> password and they would give it to me.
>
> You can't protect yourself against the actions of one in a trusted 
> position if they choose to break the law.  You have but the law to 
> protect you once the breech of trust has taken place.
>
> > Check out Steve Riley on this topic...
>
> <snip>
>
> >    Do you trust your administrators? That seemingly innocent question
> >    creates a serious dilemma in the minds of a lot of people. While we
> >    all know what we’d /like/ the answer to be, the disappointing fact
> >    is that, increasingly, the true answer is the opposite. This became
> >    apparent in discussions I had with many attendees at TechEd US in
> >    May—there is genuine concern about the trustworthiness of
> >    administrators...
>
>
> I've worked with Steve before, and I like him.  Pretty damn smart 
> dude.  But his opinion piece here is a bit hyperbolic.  The story of 
> the logic bomb paints a vivid picture of anxious exposure, but if the 
> guy is going to plant a logic bomb, he could also plant a real bomb.  
> You know, the "boom" kind.
>
> While the advise of background checking and least privilege is 
> valuable, it is also a bit obvious.  It all comes down to the cost of 
> doing business, and the level at which you must trust someone in order 
> for that business to be conducted.  You can spend a million dollars a 
> year in background checks, threat level testing and physiological 
> profiling, but it doesn't matter that much when some vendor's cleaning 
> crew has the same physical access as your admin.   Case at point:  We 
> had to fire an employee who had access to our operational systems (as 
> his job required.)  The termination wasn't pretty, as he turned out to 
> be a bit freaky.   A few months later, we had physical issues with our 
> ADT alarm system that required on-site service.  Guess who showed up 
> to fix them?
>
> This is not a tech issue.  It is a people issue, and as long as people 
> trust other people, it always will be.  Of course there are extreme 
> examples of distributed trust models that work (a sysop in a nuke sub, 
> for example) but in the "real world" where we all live, my experience 
> is that any measure of real value taken to mitigate the risk 
> associated with the threat of a malicious admin's actions ends up 
> costing more than the resource we seek to protect in the first place.  
> Otherwise, the merit of the asset's value would have dictated that 
> measures already be in place when the dude was initially hired.
>
> This is just another example of an "oh shit, what do we do now?" 
> question that was asked too late.
>
> t

------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------