[ale] Network security question

[Mark Wright]

Thanks for the input James.

I am with you right up to the "all systems need to be scanned" and  
the "serious Penetration testing".   Do you mean "scanned" as in a  
virus scan?  Is there a tool to scan for rootkits and such?   
Penetration testing also is a vague concept to me.  Are we just  
confirming with something like NMAP that there are no open ports?   
Maybe physically make sure there are no known or unknown wireless APs  
lurking on the net, no modems plugged into servers, etc?

I realize that there are books written on subject and I am no way  
asking to be schooled on how computers network.  I just want to be  
sure that I know exactly what you mean.

Thanks again,

Mark

On Apr 2, 2007, at 8:14 PM, James P. Kinney III wrote:

> On Mon, 2007-04-02 at 19:38 -0400, Mark Wright wrote:
>> Hi folks,
>>
>>
>> I have a problem my boss dumped in my lap.  He is going to let go our
>> network admin because he is dishonest.  He is also pretty good and  
>> has
>> bragged about how he hacked his former employer (hp) for mischief  
>> when
>> he was terminated.  My boss wants me to tell him what he should do
>> before he fires this guy to make sure this guy can't disrupt our
>> business after he's gone.  We don't know that he will but my boss
>> thinks so.
>>
>>
>> The office is in Chicago (me in Woodstock).  There are about 5  
>> windows
>> 03 servers and 5 AIX, a Cisco router and a Cisco firewall.  My  
>> boss is
>> not worried about the AIX as that is our expertise.  One of the
>> windows boxes hosts RDP and one is a webserver using Cold Fusion.
>> Those are the ones he worries about.  He had trouble before when he
>> tried to change the Cold Fusion password.  The web site stopped
>> working so he is afraid to do that even though he knows he needs to.
>
> The password will need to be changed simultaneously for both the  
> server
> and all the applications running from it. Create new users first on  
> the
> server then create the new users in the web applications. This  
> should be
> done initially offline and tested using the site mockup. Once the
> dismissal occurs, drop in the new app configs with the new users and
> restart.
>>
>>
>> I suggested to him that all the account passwords should be  
>> changed on
>> every box for every user and possibly disable email ports on any
>> system that doesn't need email.  I was wondering about root kits that
>> may have been left behind or code that could email out the new
>> passwords in a week or so.
>>
> I agree on the total password change. And disable ALL ports not  
> KNOWN to
> be used. Don't leave something open because you _think_ it is used.
>>
>> I know there are some excellent security experts out there.  Any tips
>> would be greatly appreciated.
>
>
> All systems will have to be scanned just before and again just  
> after the
> dismissal. There needs to be a "shadow admin" brought on  
> immediately to
> start the security sweeps. Once the dismissal occurs, the shadow  
> becomes
> the real admin.
>
> There will need to be some serious penetration testing done just prior
> to the dismissal (think same day). Basically, the systems will need to
> be locked down and secure first. Once that is done, the exiting admin
> has their passwords locked off on all machines.
>
> This is a seriously no fun process. The only potential upside to  
> this is
> the ones that brag about past exploits are not very dangerous. They
> typically did "something" with some script-kiddie tools (bad enough  
> but
> manageable.).
>
>>
> -- 
> James P. Kinney III
> CEO & Director of Engineering
> Local Net Solutions,LLC
> 770-493-8244
> http://www.localnetsolutions.com
>
> GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> <jkinney at localnetsolutions.com>
> Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale