What To Do After You Fire a Bad Sysadmin Or Developer 245
Esther Schindler writes "The job of dealing with an under-performing employee doesn't end when the culprit is shown the door. Everyone focuses on security tasks, after you fire the idiot, such as changing passwords, but that's just one part of the To Do list. More important, in the long run, is the cleanup job that needs to be done after you fire the turkey, looking for the hidden messes and security flaws the ex-employee may have left behind. Otherwise, you'll still be cleaning up the problems six months later."
Here be Dragons (Score:5, Informative)
The answer has been widely discussed here: http://serverfault.com/questions/171893/how-do-you-search-for-backdoors-from-the-previous-it-person
No easy answers (Score:2, Informative)
Re:First thing's first (Score:4, Informative)
Nope. When the bad guys have got root on your PC the only way to restore confidence in it is to rebuild it from a trusted image. Likewise if your network admin has gone untrusted on your infrastructure you burn it down and build it new again. Nuke it from orbit. It's the only way to be sure.
Frankly that's not near enough to stop a real determined jerk with skills, but thankfully we are rare. Don't hire us in the first place if you can avoid it.
Re:Here be Dragons (Score:4, Informative)
"A bad (as in lazy, surly, abusive) sysadmin who left traps will leave them in places not detectable by an audit."
The point of an audit is not to uncover and clean all the traps but to gain legal security.
Re:Here be Dragons (Score:4, Informative)
Just look at this report: Cross-VM Side Channels and Their Use to Extract Private Keys [unc.edu]
Pretty clear that the virtualized server aren't as safe as physically separated servers.