Solved

Changing of the guard

Posted on 2004-04-23
9
371 Views
Last Modified: 2010-04-11
I am doing some consulting for a client who is thinking of changing their IT leader. They are concerned about the incumbent leaving behind something nasty if they do make a change. Does anyone know of a software package that would help minimize this risk by doing at least the following and hopefully more: (small network of 100 PC's and a dozen servers)

1) Check all automated/scheduled tasks on all PC's/servers and provide a list of unrecognized or all items
2) Check all startup locations on all PC's/servers and provide a list of unrecognized programs.
3) ??????
0
Comment
Question by:rfuller02
  • 2
  • 2
  • 2
  • +2
9 Comments
 
LVL 5

Accepted Solution

by:
bitter_chicken earned 43 total points
Comment Utility
If the computers have different hardware and software installed, it would be a prohibitively laborious task to compile a list of services to 'allow'.

Virus scanners will most likely do the job - ( www.symantec.com or www.mcafee.com ) - if you turn on the predictive mode. Online scanners can help if cost is an issue: http://www.experts-exchange.com/Security/Q_20963141.html

Another good security precaution would be to reset the firewall (or install a firewall!) - so that any odd connections should throw up a warning (eg trojans).

If all the computers have the same setup, It might be advisable to use a hard-drive imaging program (win2000/xp have a rollout function which does this; or a program such as norton ghost: www.symantec.com ) to completely clean the computers. By saving images on a hidden partition for each computer, you can then also get them back to optimum running state at will.

Hope this has helped,
bc :-)
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 41 total points
Comment Utility
Just tell the incumbent that a full network, password, login and vulnerability audit have been commissioned to ensure there are no changes between now and when the new IT supplier takes over.
This should be enough to convince them that the risk of ILLEGAL system compromises or service disruption will be detected and reported to the police.
Put yourselves in their shoes - would you risk your professional reputation just because you've a chip on your shoulder ??  ;)
Think about:

1)  Terminating all remote access to the 3rd party (modems, VPNs, firewall rules)
2)  Changing ALL admin passwords on EVERYTHING
3)  Running patch assessment - ie check everything is up to date... Microsoft SUS is a start ?
4)  Run a vulnerability scan across the entire network (something like Retina would do the trick)
5)  Run up-to-date virus scans on everything
6)  Ensure firewall policies do not have liberal access rules in them
7)  Documenting everything, ensure full event logging is in place with a new admin account, just in case things turn out for the worse...



0
 

Author Comment

by:rfuller02
Comment Utility
Timing is critical in this. If I was devising something nasty to leave behind, I'd set it to start when I didn't do something and I'd make sure that there were multiple points of entry.

I agree in that I can't imagine anyone risking their reputation, career and possibly jail time to get back at someone but the owners of the company are bringing this up, I just provide a service.
0
 
LVL 5

Expert Comment

by:bitter_chicken
Comment Utility
you could always just wipe every computer and start again! That would be exciting ;-)
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
I'm not sure you could prevent a "time-bomb" as this could be a batch-file or even tagged on the end of a popular program. Anti-Virus is going to be you best friend in a windows environment, and root-kit detection can be found with various programs. One of the leaders in finding malicious code is the TDS from dimondCS.
http://www.diamondcs.com.au/?hop=supportale I've written some things on purpose to test the software, and while I was able to avoid detection, it was a very paranoid program (TD3 that is) and found many of the other tests.
http://www.dslreports.com/forum/remark,2460976~root=security,1~mode=flat

also a nice program http://www.securiteam.com/tools/5FP0L00BPS.html

Timing is critical, we've had to let some very seasoned, and long time employee's go, and they knew the lan better than anyone there. You need to be swift, and perhaps Legal... our state is a "no reason" state, we don't have to give a reason for your termination, but we did hire a security guard to escort the individuals out of the building and off the premisis. All passwords were changed right after we turned off the Network port of their PC's. They were still logged in, and we were able to use their credintials to get to places we never would of, or it would of taken a week or more to crack their pass's, because it did in fact take a week ;) It's got to be a well thought out plan.
GL!
-rich
0
 

Author Comment

by:rfuller02
Comment Utility
Rich,

Thanks for the sites. Good stuff. I'm thinking of writing a VB app to accomplish some of this. Have you done anything like that? I'm thinking in terms of something that would check for all batch files (bat & cmd) and at least write a report listing all of them. Then, having the program parse the file looking for harmful commands. (Of course, if the person was really smart they'd copy the delete command and then rename it something innocuous. I could always have the program check the size of the program and if it looks suspect, run it against a test file to see what it does to it.) Haven't thought it all the way through but it seems like something that wouldn't be too tough to accomplish.

Any input would be appreciated and I'd give you a copy of it.

Rod
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 41 total points
Comment Utility
Really is more about assessing the risk. We monitored the 2 admins's ports with ethereal, as well as used VNC to monitor their activities for a few days prior to their being let go. i did hack VNC's icon's to be all white instead of switching colors when we connected though. We assertained that they were totally unprepared for what was coming, and they were not emailing or ftp'ing, or cd copying any data off site. They were not doing any work at the same time ;) Again we used a Security officer we hired to enter their office with me, ask them to gather their things in a box and meet with a manager before leaving.

If you really feel that this person will hold a grudge, or is capable of the act's your trying to find, then your problem is bigger than mine. here are some other suggestions:
http://www.cnn.com/2000/TECH/computing/07/04/network.protect.idg/

Oh yes, we changed all the passes on ALL accounts after the persons were escorted from the building, while I was watching their activities, another admin was specifically denying their accounts on all PC's and Servers, and they were removed from the admin group at the same time we turned off their netwrok ports. Swift and all encompassing action was what we did.
GL!
-rich
0
 
LVL 27

Expert Comment

by:Tolomir
Comment Utility
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:
Split: bitter_chicken{http:#10906477} & tim_holman{http:#10906774} & richrumble{http:#10912856}

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Tolomir
EE Cleanup Volunteer
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now