10

Last week, a couple of guys were fired from the company I work for; all of them had access to sensitive information.

One of them erased all the e-mails from the mail server, sent a massive e-mail to most of our customers, insulting them, and telling them not to do business with us because "We suck". Literally.

The system administrators failed to remove their credentials for the servers when they were fired, a very common mistake unfortunately. The current system administrators do not seem to know what to do under this scenario. Neither do I to be honest, and I would like to know what is the normal procedure to follow in case of a security breach, so I can make a recommendation to implement it in the company.

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
ILikeTacos
  • 203
  • 1
  • 6
  • 1
    Can you clarify: is your question "what should we do now to clean up the mess" or "what should we do to prevent this happening ever again"? – Graham Hill May 08 '12 at 16:58
  • I am actually asking for a common protocol to follow if this happens again, specifically the legal part. What actions can the company take against the intruder? – ILikeTacos May 08 '12 at 17:04
  • 1
    Hire a lawyer for the legal part and a consultant who specializes in this sort of situation. The consultant has likely worked with lawyers and prepared documents for litigation purposes. – DKNUCKLES May 08 '12 at 17:33
  • 1
    develop a CSIRT(computer security incident response team) and gather data using forensic methods include a chain of custody in order for the evidence to be used to press legal charges – Mark S. May 08 '12 at 23:59
  • It should not happen again. You should cut their ability to access the company network before you tell them – Ramhound May 09 '12 at 18:16

2 Answers2

12

Serverfault has a great canonical answer on "what should we do now to clean up this mess", so I'll take a stab at "what should we do to prevent this happening ever again".

  • Your organisation needs to establish an "employee leaving" process and stick to it.
  • Your organisation will need to work out if they should treat all terminations the same, or differently between "hostile" and "non-hostile" terminations, or differently between regular employees and those with access to sensitive information.
  • IT needs to document the procedures for closing every account an employee might have, including accounts IT doesn't control.
  • IT needs to keep an employee account register that lets them instantly identify what accounts any given employee has. (This can be a lot of work.)
  • IT needs to have a list of all generic accounts and who knows the passwords to them. They also need to remove as many generic accounts as possible, ideally all of them.
  • When the decision is made to "hostile" terminate, HR need to meet with IT in advance and plan so the accounts are all disabled while the employee is learning that they have been terminated.
  • At the same time as the accounts are closed, their computer hardware and ID badges need to be secured.

IT, HR and senior management all need to commit to the above.

In addition, it also sounds from your question that your backup procedures are not good — fix that. (Don't forget to secure your backups. In particular, try not to have any people with permission to delete both the originals and the backups.)

Community
  • 1
Graham Hill
  • 15,394
  • 37
  • 62
  • 3
    +1 for an "Employee Leaving Process". Having a checklist ensures that Management is aware of what you do when employees are terminated, as well as help you keep cool and calm in a situation that can be stressful for a SysAdmin. – DKNUCKLES May 08 '12 at 17:31
  • 1
    I would say that the employees account needs to be disabled prior to informing them that they are fired. – Mark S. May 09 '12 at 00:00
  • 1
    @Mark that risks putting IT in the awkward position of getting a helpdesk ticket saying "my account is broken" and having to lie about it. Been there: did not like. – Graham Hill May 09 '12 at 09:54
  • 2
    @GrahamHill - If you are aware they have been terminiated then answering their ticket isn't really on the priority list of tickets to answer. – Ramhound May 09 '12 at 18:28
2

The following is what I would do, given your situation.

  1. Restore the e-mails from a previous back up. If they deleted them then assume they had something to hide.
  2. Contact a professional who can audit your systems and ensure there are no back doors or network holes that remain unpatched from the termination (webmail / vpn credentials / blackberry's, RDC connections, files, etc)
  3. Compare your file backups from the day of termination to the previous night. Restore any files that may have been deleted.
  4. Enlist your PR / Communications team as you're going to have to do some damage control in regards to the e-mail that was sent out.
  5. As Graham stated, you need to create a set of policies as well as an "employee departure checklist" to prevent this from happening.
  6. You need to sit down with HR and Senior Management to discuss termination procedures as they typically need to be well orchestrated (ie ensure employee is not around a computer when it's happening, and get IT to lock off systems as it's happening etc)
  7. Depending on the level of auditing (and judging by your situation, I'm going to assume you don't have much) see which files have been accessed and modified since the departure.
  8. Keep tabs on your e-mails leaving your system - if the employees still have friends they might still be divulging trade secrets / private company information to their terminated friends.

Hope that helps!

DKNUCKLES
  • 9,237
  • 2
  • 37
  • 47
  • -1. If employee wants to divulge private company information he can do it using non-work email address that you don't work. – Andrei Botalov May 15 '12 at 18:38
  • Or he could put it on a USB key or burn it to a CD. What's your point for your down vote? My answer didn't say "this is how you prevent it from happening", it was "this is one way of checking to see if it's happening" – DKNUCKLES May 15 '12 at 19:24
  • I think that if skilled employee wants to make harm, then he will think about his actions. He won't make easy to catch illegal action like sending trade secrets to 3rd party from work address that is read by sysadmins. – Andrei Botalov May 15 '12 at 19:55
  • 1
    Define "easy to catch". What's to say the enterprise in question doesn't employ monitoring software like Spector on workstations which would make almost any illegal action easy to spot? Does that mean that logs shouldn't be checked because you "think" someone wouldn't be so foolish? – DKNUCKLES May 15 '12 at 20:02
  • -1. audit is too tedious, and can take several weeks. Absolutely impractical. – Martin Vegter Aug 09 '16 at 13:36
  • @MartinVegter There was no mention of a time constraint and audit would be necessary if legal action required. Don't speak in terms of practicality unless you know the resources and time constraints or lack thereof. – DKNUCKLES Aug 09 '16 at 15:45