What To Do After You Fire a Bad Sysadmin Or Developer

Esther Schindler writes "The job of dealing with an under-performing employee doesn't end when the culprit is shown the door. Everyone focuses on security tasks, after you fire the idiot, such as changing passwords, but that's just one part of the To Do list. More important, in the long run, is the cleanup job that needs to be done after you fire the turkey, looking for the hidden messes and security flaws the ex-employee may have left behind. Otherwise, you'll still be cleaning up the problems six months later."

Here be Dragons

The answer has been widely discussed here: http://serverfault.com/questions/171893/how-do-you-search-for-backdoors-from-the-previous-it-person

Re:Here be Dragons

[turbidostato]

"A bad (as in lazy, surly, abusive) sysadmin who left traps will leave them in places not detectable by an audit."

The point of an audit is not to uncover and clean all the traps but to gain legal security.

Re:Here be Dragons

[Z00L00K]

Just look at this report: Cross-VM Side Channels and Their Use to Extract Private Keys

Pretty clear that the virtualized server aren't as safe as physically separated servers.

No easy answers

This is one of those things that there are no easy answers for. The Right Answer(tm) is to have good policies, compartmentalization of duties, and mandatory time off (to allow for auditing) so that problem scenarios can be avoided before the fact.

Re:First thing's first

[symbolset]

Nope. When the bad guys have got root on your PC the only way to restore confidence in it is to rebuild it from a trusted image. Likewise if your network admin has gone untrusted on your infrastructure you burn it down and build it new again. Nuke it from orbit. It's the only way to be sure.

Frankly that's not near enough to stop a real determined jerk with skills, but thankfully we are rare. Don't hire us in the first place if you can avoid it.