Re: Handling Sysads resignation/termination

[Irvin Temp <znah_irvin () yahoo com>]

> What's he going to do? Say yes? Then what?

Thanks for the reply. I think the questions will not
be directly to check whether he has place a logic/time
bomb etc etc, thus im not expecting a "yes or no" 
answer. 

I was looking into letting him explain what was his
day-to-day activity during his stay, what systems was 
he involved in.. try to get a sense of what was his 
involvment (from his point of view) during in past 
projects (system development, db or server 
administration, im not sure what you call it??).. what

sensitive files he might have been given access to 
during those occassions, was his access properly 
terminated? and other information that can be verified

using the fwal,mail,db logs,syslog to check for 
consistencies?

The matter of looking for timebombs/malicious programs

will mosltly be/if not purely a technical activity
such
as audit, checking of process, reviewing logs to 
support the information you got from a interview. Like

for example wen he discussed during the interview that
during a project development or some activity he 
was not involved or required access to DBs, but logs 
show that his account/pc showed attempts to access DB.
Or an unusual mail traffic during his last certain 
weeks of stay indicating sending attachments that may
or may not contain confidential data. or during the 
security checks he had access to files that he neither

needed or has clearance to.. 

my over-simplification of the activity is that the 
interview and the actualy logs will be compared to 
check for inconsistencies or signs of unusual activity

that may need to be further investigated..

if there are inconcistencies it might be hes trying to

hide sumthing or it might revel that sumone has been 
using his account or privilege to elevate their level 
of access with or maybe without his knowledge. This 
process is not solely ment on finding fault on the 
sysad but also on for his own protection.. 

interview alone wont do much as sum has said.. i think
it has to be a combination of interview and actual 
audit.. 

going further this might open a can of worms 
that might be a result of a lack of policy or standard
in the company.. so this is also a good opportunity
to learn how to improve the security posture of the 
company.. im looking into formalizing the process in
the termination procedure be it on a trustworthy or 
non-trustworthy admin.. my opinion is this is just
good
practice...


                
____________________________________________________
Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs 
 

------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------