From: Irvin Temp (znah_irvin@yahoo.com)
Date: Thu Aug 04 2005 - 00:38:33 EDT
> What's he going to do? Say yes? Then what?
Thanks for the reply. I think the questions will not
be directly to check whether he has place a logic/time
bomb etc etc, thus im not expecting a "yes or no"
answer.
I was looking into letting him explain what was his
day-to-day activity during his stay, what systems was
he involved in.. try to get a sense of what was his
involvment (from his point of view) during in past
projects (system development, db or server
administration, im not sure what you call it??).. what
sensitive files he might have been given access to
during those occassions, was his access properly
terminated? and other information that can be verified
using the fwal,mail,db logs,syslog to check for
consistencies?
The matter of looking for timebombs/malicious programs
will mosltly be/if not purely a technical activity
such
as audit, checking of process, reviewing logs to
support the information you got from a interview. Like
for example wen he discussed during the interview that
during a project development or some activity he
was not involved or required access to DBs, but logs
show that his account/pc showed attempts to access DB.
Or an unusual mail traffic during his last certain
weeks of stay indicating sending attachments that may
or may not contain confidential data. or during the
security checks he had access to files that he neither
needed or has clearance to..
my over-simplification of the activity is that the
interview and the actualy logs will be compared to
check for inconsistencies or signs of unusual activity
that may need to be further investigated..
if there are inconcistencies it might be hes trying to
hide sumthing or it might revel that sumone has been
using his account or privilege to elevate their level
of access with or maybe without his knowledge. This
process is not solely ment on finding fault on the
sysad but also on for his own protection..
interview alone wont do much as sum has said.. i think
it has to be a combination of interview and actual
audit..
going further this might open a can of worms
that might be a result of a lack of policy or standard
in the company.. so this is also a good opportunity
to learn how to improve the security posture of the
company.. im looking into formalizing the process in
the termination procedure be it on a trustworthy or
non-trustworthy admin.. my opinion is this is just
good
practice...
____________________________________________________
Start your day with Yahoo! - make it your home page
http://www.yahoo.com/r/hs
------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't
Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:
http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:41 EDT