-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Volker Tanger wrote:
| If you have to assume being compromised, re-install and | re-configure all your systems starting from scratch and clean media | (boot from CD, partition harddisc, format HD, install base system, | ...) - and start with your most (business) critical systems. Have | this done by an admin you trust.
Keep in mind that the "retired" admin knows all weaknesses, he knows if there is an ids, insecure protocols, what system compromises hurt most, he knows the social network and, may be he knows how to get phsyical access... paranoia?
I think you need to do some risk management. There are some steps to keep in mind (from a security-point of view), I'd follow this order:
1. change the logins 2. ensure that he has no more physical access 3. inform his colleques (protect against social engineering) 4. check your logs / increase the log level / install additional ids 5. reinstall the affected systems from scratch (run an audit if not possible) 6. fix security holes that he could/should know 7. ensure that your other admins are upright (be fair) 8. watch your competitors if he sold information 9. break his password, if you have no access to your data 10. prepare for the future
You should ask yourself the questions "how much can it cost in the worst case?", "will we survive it?" and "is that realistic?". Costs vs. security.
regards
- -- http://www.redsheep.de/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFALPMs4Lmwv7NFcKMRAmbTAJ9xe4CAYog7oVonsoZjMnzDfa8axgCgzB+I MrAZ860jkPt8C15iBleH2/I= =cCzI -----END PGP SIGNATURE-----
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html