RE: Handling Sysads resignation/termination

["Michael Starr" <northstarr () northstarr org>]

We all need to remember that destroying a former employer's (or anyone
else's) property is a crime -- and that we're all supposed to have good
backup procedures and disaster recovery plans.  We all council our clients
to that effect, right? We have the recourse of the courts available to us
when an administrator (or any other employee) behaves badly, if necessary.
While some (I won't say paranoid) folks feel they can't trust the
administrators who've served them well, the fact of the matter is that in
most cases (though not in the case of a retiring admin) the person is going
to be looking for another job.  In the network administration field, neither
a criminal record, nor "I trashed my last employer's network because they
let me go" look very good on a resume.  If a systems administrator doesn't
have their reputation, they have nothing.

I have to say that I have been called in to recover passwords on a network
where an admin quit, changed all of the administrator passwords AND the user
passwords, and refused to turn them over.  That person was sued for LOTS of
damages, including my hours in recovering access to the network.
Additionally, he didn't work in the industry, as far as I know, ever again.
His bad behavior is the exception, and not the rule.  

I will also say that most systems administrators are at least as honest and
ethical as the average CPA, or attorney -- even when they've been
terminated.  Finally, it should go without saying that there is a secondary
employee who knows the network well, and can review and report on the status
and condition of the system at periodic intervals, both pre and post
administrator termination.

As with anything else, proper prevention outweighs correction by a mile.
There is a method for terminating an employee -- admin or otherwise, and
there is a reason for that.  There are also methods of putting checks and
balances in place long before termination becomes an issue, and there are
reasons for that as well.  For example, when an admin employee is ready to
retire, their network access should be curtailed immediately, and their
duties should be cut back accordingly.  Often, it's best to pay them NOT to
come in to work for a few weeks.

I bet the SANS reading room has information on this topic too.

That's my .02
Northstarr

-----Original Message-----
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[mailto:sbradcpa () pacbell net] 
Sent: Tuesday, August 02, 2005 8:40 PM
To: Irvin Temp
Cc: pen-test () securityfocus com
Subject: Re: Handling Sysads resignation/termination

What's he going to do? Say yes? Then what?


Anyone else besides me thinking of a employment leaving documentation 
poured over by Attorneys where he/she has to sign something to the effect?

I wouldn't want you to certify that ....that's asking a bit much on your 
part I think. I think you, your HR department and your firm's Attorneys 
need to sit down and discuss an action plan.

Normally for anyone who isn't a sysadmin the termination process 
involved revoking accounts, keys, devices, changing locks etc etc...

Check out Steve Riley on this topic...

http://blogs.technet.com/steriley/archive/2005/07/19/407917.aspx

The article is posted in the security management column section on 
TechNet and is the Viewpoint article in the July security newsletter. 
Check it out, and please tell me what you think. It's been generating 
some opinions :)

http://www.microsoft.com/technet/community/columns/secmgmt/sm0705.mspx

    Do you trust your administrators? That seemingly innocent question
    creates a serious dilemma in the minds of a lot of people. While we
    all know what we'd /like/ the answer to be, the disappointing fact
    is that, increasingly, the true answer is the opposite. This became
    apparent in discussions I had with many attendees at TechEd US in
    May-there is genuine concern about the trustworthiness of
    administrators...



Irvin Temp wrote:

> I've been working as a security consultant for a 
> financial company.
>
> a system administrator handling the several of the 
> critical servers will be retiring. before he leave the
>
> company the management wants me to interview him and
> in 
> "certify" that he did not leave any timebombs,
> malicious 
> programs on the pcs. 
>
> Since i have no experience in handling pre-termination
> of
> a systems administrator, i would appreciate you
> insights 
> and suggestions on how to go about this. 
>
> Questions that needs to be asked. Steps to take to 
> ensure that the systems are clean after his 
> resignation. 
>
>
> Thanks and God bless! 
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
>
> ---------------------------------------------------------------------------
---
> FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't
>
> Learn the hacker's secrets that compromise wireless LANs. Secure your
> WLAN by understanding these threats, available hacking tools and proven
> countermeasures. Defend your WLAN against man-in-the-Middle attacks and
> session hijacking, denial-of-service, rogue access points, identity
> thefts and MAC spoofing. Request your complimentary white paper at:
>
> http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
> ---------------------------------------------------------------------------
----
>  

-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


----------------------------------------------------------------------------
--
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
----------------------------------------------------------------------------
---




------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------