firing system administrators cpte 433 john beckett
TRANSCRIPT
Firing System Administrators
CPTE 433 John Beckett
Why, Why, Why?
• The two sides of the story are probably so different that you’d wonder if they were working in the same company– or inhabiting the same planet– Because unhappy terminations usually start
with differences in perceptions• Don’t pass info to others
– This can hurt people– It decreases your credibility and promotability
• Focus on the technical tasks
First, the Headlines
• “Firing” an SA is undoing the access (s)he had while employed.
• That can be difficult because:– The SA may have designed the access
scheme (perhaps in undocumented ways we call “back doors.”)
– The SA probably had “root” access to many facilities.
– Fundamentally, it’s an “agency” problem.
The Agency Problem
• The person whose (potential) misdeeds could harm stakeholders, is in control of information.
• Corporate CEO/CFOs: Control decision-making input to boards.
• SAs: Control the controls of your system
Termination Steps
• Procedure– Follow corporate HR policy– Use a checklist – file it when complete
• Access– Physical– Remote– Service & Applications
• Improve– Look for ways to shorten the checklist
Termination Checklist
• Part 1: Work with HR– They may already have a checklist
• Part 2: Technical aspects relating to the SAs job– Should include technical details on how
to do each step– Likely to be updated every time you use
it
How To Develop a Checklist
• Start with the checklist for processing a person in.
• Continue with a list of what they’ve developed or set up.
• Now you know what you must disconnect them from!
Three Levels of Access
• Physical Access– Deactivate card / Return key(s)– Deny Social Engineering
• Remote Access– Radius / Dial-in– VPN
• Application/Service Access• Use a separate team for each level.
Physical Control Devices
• Could that key have been duplicated?
• Was this SA able to make access cards?– Again – that nasty agency
problem!• Do you actually have
records of all cards or keys that have been distributed?
Weigand cards are pre-serialized at the factory, which improves your ability to achieve good control.
Portable Property–Whose property is it, really?–How will you physically get it
returned?–Accessories?–Cables?–Wall-Warts?–Are there subscriptions to
cancel or re-direct?–Can you “nuke” this product?
Don’t We Trust Each Other?
• Good separation protects both:
• The firm, because it is less likely to suffer damage.– …or encounter confusion when solving a
problem which might have had something to do with the fired employee.
• The employee who is leaving.– She wishes to remain above approach.
Case: “Zap This Drive”
• User’s job was to do research. All the research went on his hard drive (which wasn’t backed up.)
• He was fired.• On his way out, he told the SA, “I’ve
got some personal stuff on the drive so please nuke it.”
• The SA did what he was asked to do..Who is responsible for this gaffe?
What Did the SA Do Wrong?
1. Honored the request of a fired employee.
2. Failed to recognize that the computer in its entirety was the property of the company.
3. Failed to have a backup program in place.
• Fortunately, a recovery program worked.
The Media Ministry
• I acted as a volunteer webmaster for a media ministry just starting to use the web
• My only contact at the ministry was fired for unspeakable behavior
• The ministry’s manager was worried that the fired person might strike back
• The manager called me when I was out of town on a trip, with limited connectivity
What We Did• The manager and I authenticated each
other– SDA workers can always do this – The procedure involves exchange of tokens
that were shared experiences• I “froze” the site by changing the root
password– Should have done an extra backup as well
• Later, I passed control on to a new webmaster they acquired– Authenticated through a third party
What Could Have Gone Wrong
• The fired employee could have had a hacker friend– The hacker friend could have left a back
door in the system– They could have made changes at a later
time• We were lucky
– The fired employee actually cared about the ministry, even though his personal behavior was not what it should be
Improving the Process
• Have a single authentication database
• Document access that does not depend on this database
• Archive system configuration files– Audit changes, tracking them to specific
tickets