Firing System Administrators

CPTE 433 John Beckett

Why, Why, Why?

• The two sides of the story are probably so different that you’d wonder if they were working in the same company– or inhabiting the same planet– Because unhappy terminations usually start

with differences in perceptions• Don’t pass info to others

– This can hurt people– It decreases your credibility and promotability

• Focus on the technical tasks

First, the Headlines

• “Firing” an SA is undoing the access (s)he had while employed.

• That can be difficult because:– The SA may have designed the access

scheme (perhaps in undocumented ways we call “back doors.”)

– The SA probably had “root” access to many facilities.

– Fundamentally, it’s an “agency” problem.

The Agency Problem

• The person whose (potential) misdeeds could harm stakeholders, is in control of information.

• Corporate CEO/CFOs: Control decision-making input to boards.

• SAs: Control the controls of your system

Termination Steps

• Procedure– Follow corporate HR policy– Use a checklist – file it when complete

• Access– Physical– Remote– Service & Applications

• Improve– Look for ways to shorten the checklist

Termination Checklist

• Part 1: Work with HR– They may already have a checklist

• Part 2: Technical aspects relating to the SAs job– Should include technical details on how

to do each step– Likely to be updated every time you use

it

How To Develop a Checklist

• Start with the checklist for processing a person in.

• Continue with a list of what they’ve developed or set up.

• Now you know what you must disconnect them from!

Three Levels of Access

• Physical Access– Deactivate card / Return key(s)– Deny Social Engineering

• Remote Access– Radius / Dial-in– VPN

• Application/Service Access• Use a separate team for each level.

Physical Control Devices

• Could that key have been duplicated?

• Was this SA able to make access cards?– Again – that nasty agency

problem!• Do you actually have

records of all cards or keys that have been distributed?

Weigand cards are pre-serialized at the factory, which improves your ability to achieve good control.

Portable Property–Whose property is it, really?–How will you physically get it

returned?–Accessories?–Cables?–Wall-Warts?–Are there subscriptions to

cancel or re-direct?–Can you “nuke” this product?

Don’t We Trust Each Other?

• Good separation protects both:

• The firm, because it is less likely to suffer damage.– …or encounter confusion when solving a

problem which might have had something to do with the fired employee.

• The employee who is leaving.– She wishes to remain above approach.

Case: “Zap This Drive”

• User’s job was to do research. All the research went on his hard drive (which wasn’t backed up.)

• He was fired.• On his way out, he told the SA, “I’ve

got some personal stuff on the drive so please nuke it.”

• The SA did what he was asked to do..Who is responsible for this gaffe?

What Did the SA Do Wrong?

1. Honored the request of a fired employee.

2. Failed to recognize that the computer in its entirety was the property of the company.

3. Failed to have a backup program in place.

• Fortunately, a recovery program worked.

The Media Ministry

• I acted as a volunteer webmaster for a media ministry just starting to use the web

• My only contact at the ministry was fired for unspeakable behavior

• The ministry’s manager was worried that the fired person might strike back

• The manager called me when I was out of town on a trip, with limited connectivity

What We Did• The manager and I authenticated each

other– SDA workers can always do this – The procedure involves exchange of tokens

that were shared experiences• I “froze” the site by changing the root

password– Should have done an extra backup as well

• Later, I passed control on to a new webmaster they acquired– Authenticated through a third party

What Could Have Gone Wrong

• The fired employee could have had a hacker friend– The hacker friend could have left a back

door in the system– They could have made changes at a later

time• We were lucky

– The fired employee actually cared about the ministry, even though his personal behavior was not what it should be

Improving the Process

• Have a single authentication database

• Document access that does not depend on this database

• Archive system configuration files– Audit changes, tracking them to specific

tickets