1

I’ve read that the information security teams should be involved in the decommission process for servers (for example this answer or this sample process guide). They are supposed to review and approve the decom request.

What is infosec supposed to review exactly? Are there specific things the security team should be doing when they see the request? For example, should they be archiving off event logs or capturing other information for audit purposes?

Just trying to figure out what I’m not doing but should be when I blindly declare “Approved” on every request.

Palisade Tobblestock
  • 11
  • 2
  • I see your confusion. I would be more worried about confirming the erase wipe worked against the VM. One thing that would be appropriate at that stage is Continuity of Operations (COOP) impact. If the server is shown as critical to availability or recovery docs and plans would need updating. – zedman9991 Apr 18 '18 at 21:51

2 Answers2

1

Lets say a few months from now your company has reason to believe that there is a malicious actor in the network that occurred through leveraging servers in cluster A. However, the actor has been in the network for a while and has established persistence in many areas. Unfortunately, you decommissioned cluster A last month and all the data is gone. Now there are no logs to see what the actor gained access to, how they got in, and where all they went from there. If only you had done a quick look over the system and saved the logs you could have figured out what other systems are compromised!

In other scenarios, based on the content of the VM servers, you may elect that the disk space needs to be zeroed to ensure that data is unrecoverable. Maybe there is an ongoing testing engagement or forensics investigation involving that server that is unknown to other teams that are ready to delete it.

There are various reasons a particular security team may want to review this process and companies may have more specific use cases but that is the general idea.

SuperAdmin
  • 320
  • 1
  • 11
0

What the infosec bods should be doing depends on the way the organization runs its IT, what compliance requirements are applicable and how the assets are configured.

A single host will have a footprint much greater than its own filesystem - it will be referenced in monitoring systems, provisioning systems, backup systems, remote access, DNS....failing to ensure the host is remove from these provides a cover for a cuckoo to assume the machines identity (not to mention the operational impact of errors flagging up on these - although that's not the realm of infosec).

There may be accounts configured specifically for accessing the resource, certificates/other encryption keys, firewall rules which should be removed. There may be an allocation of software/hardware licences associated with the device, or even specific licensing files deployed on the device which should be recovered.

Its usually a good idea to retain some capability of restoring the service for a short period after switching off the service, and there may be a requirement for preserving the data for forensic/audit purposes for longer.

In short:

  • the security config for the device needs to be backed out of the infrastructure
  • assets may need to be recovered
  • data may need to preserved
symcbean
  • 18,278
  • 39
  • 73
  • The issues you bring up address a NetOps and SysOps standpoint more than an infosec standpoint. While those are all valid concerns, I’m not sure that it fully answers the original question. – SuperAdmin Apr 19 '18 at 20:39