Penetration Testing mailing list archives
Re: Handling Sysads resignation/termination
From: Irvin Temp <znah_irvin () yahoo com>
Date: Wed, 3 Aug 2005 21:38:33 -0700 (PDT)
What's he going to do? Say yes? Then what?
Thanks for the reply. I think the questions will not be directly to check whether he has place a logic/time bomb etc etc, thus im not expecting a "yes or no" answer. I was looking into letting him explain what was his day-to-day activity during his stay, what systems was he involved in.. try to get a sense of what was his involvment (from his point of view) during in past projects (system development, db or server administration, im not sure what you call it??).. what sensitive files he might have been given access to during those occassions, was his access properly terminated? and other information that can be verified using the fwal,mail,db logs,syslog to check for consistencies? The matter of looking for timebombs/malicious programs will mosltly be/if not purely a technical activity such as audit, checking of process, reviewing logs to support the information you got from a interview. Like for example wen he discussed during the interview that during a project development or some activity he was not involved or required access to DBs, but logs show that his account/pc showed attempts to access DB. Or an unusual mail traffic during his last certain weeks of stay indicating sending attachments that may or may not contain confidential data. or during the security checks he had access to files that he neither needed or has clearance to.. my over-simplification of the activity is that the interview and the actualy logs will be compared to check for inconsistencies or signs of unusual activity that may need to be further investigated.. if there are inconcistencies it might be hes trying to hide sumthing or it might revel that sumone has been using his account or privilege to elevate their level of access with or maybe without his knowledge. This process is not solely ment on finding fault on the sysad but also on for his own protection.. interview alone wont do much as sum has said.. i think it has to be a combination of interview and actual audit.. going further this might open a can of worms that might be a result of a lack of policy or standard in the company.. so this is also a good opportunity to learn how to improve the security posture of the company.. im looking into formalizing the process in the termination procedure be it on a trustworthy or non-trustworthy admin.. my opinion is this is just good practice... ____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs ------------------------------------------------------------------------------ FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't Learn the hacker's secrets that compromise wireless LANs. Secure your WLAN by understanding these threats, available hacking tools and proven countermeasures. Defend your WLAN against man-in-the-Middle attacks and session hijacking, denial-of-service, rogue access points, identity thefts and MAC spoofing. Request your complimentary white paper at: http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801 -------------------------------------------------------------------------------
Current thread:
- Re: Handling Sysads resignation/termination, (continued)
- Re: Handling Sysads resignation/termination Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Aug 03)
- Re: Handling Sysads resignation/termination Thor (Hammer of God) (Aug 03)
- Re: Handling Sysads resignation/termination Michael Hammer (Aug 03)
- Re: Handling Sysads resignation/termination Thor (Hammer of God) (Aug 04)
- Re: Handling Sysads resignation/termination Michael Hammer (Aug 04)
- RE: Handling Sysads resignation/termination Erin Carroll (Aug 04)
- RE: Handling Sysads resignation/termination Solomon (Aug 03)
- RE: Handling Sysads resignation/termination Irvin Temp (Aug 04)
- Message not available
- RE: Handling Sysads resignation/termination Mark Teicher (Aug 04)
- Re: Handling Sysads resignation/termination Irvin Temp (Aug 04)