Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Changing of the guard

Posted on 2004-04-23
9
382 Views
Last Modified: 2010-04-11
I am doing some consulting for a client who is thinking of changing their IT leader. They are concerned about the incumbent leaving behind something nasty if they do make a change. Does anyone know of a software package that would help minimize this risk by doing at least the following and hopefully more: (small network of 100 PC's and a dozen servers)

1) Check all automated/scheduled tasks on all PC's/servers and provide a list of unrecognized or all items
2) Check all startup locations on all PC's/servers and provide a list of unrecognized programs.
3) ??????
0
Comment
Question by:rfuller02
  • 2
  • 2
  • 2
  • +2
9 Comments
 
LVL 5

Accepted Solution

by:
bitter_chicken earned 43 total points
ID: 10906477
If the computers have different hardware and software installed, it would be a prohibitively laborious task to compile a list of services to 'allow'.

Virus scanners will most likely do the job - ( www.symantec.com or www.mcafee.com ) - if you turn on the predictive mode. Online scanners can help if cost is an issue: http://www.experts-exchange.com/Security/Q_20963141.html

Another good security precaution would be to reset the firewall (or install a firewall!) - so that any odd connections should throw up a warning (eg trojans).

If all the computers have the same setup, It might be advisable to use a hard-drive imaging program (win2000/xp have a rollout function which does this; or a program such as norton ghost: www.symantec.com ) to completely clean the computers. By saving images on a hidden partition for each computer, you can then also get them back to optimum running state at will.

Hope this has helped,
bc :-)
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 41 total points
ID: 10906774
Just tell the incumbent that a full network, password, login and vulnerability audit have been commissioned to ensure there are no changes between now and when the new IT supplier takes over.
This should be enough to convince them that the risk of ILLEGAL system compromises or service disruption will be detected and reported to the police.
Put yourselves in their shoes - would you risk your professional reputation just because you've a chip on your shoulder ??  ;)
Think about:

1)  Terminating all remote access to the 3rd party (modems, VPNs, firewall rules)
2)  Changing ALL admin passwords on EVERYTHING
3)  Running patch assessment - ie check everything is up to date... Microsoft SUS is a start ?
4)  Run a vulnerability scan across the entire network (something like Retina would do the trick)
5)  Run up-to-date virus scans on everything
6)  Ensure firewall policies do not have liberal access rules in them
7)  Documenting everything, ensure full event logging is in place with a new admin account, just in case things turn out for the worse...



0
 

Author Comment

by:rfuller02
ID: 10907470
Timing is critical in this. If I was devising something nasty to leave behind, I'd set it to start when I didn't do something and I'd make sure that there were multiple points of entry.

I agree in that I can't imagine anyone risking their reputation, career and possibly jail time to get back at someone but the owners of the company are bringing this up, I just provide a service.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 5

Expert Comment

by:bitter_chicken
ID: 10907693
you could always just wipe every computer and start again! That would be exciting ;-)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10909761
I'm not sure you could prevent a "time-bomb" as this could be a batch-file or even tagged on the end of a popular program. Anti-Virus is going to be you best friend in a windows environment, and root-kit detection can be found with various programs. One of the leaders in finding malicious code is the TDS from dimondCS.
http://www.diamondcs.com.au/?hop=supportale I've written some things on purpose to test the software, and while I was able to avoid detection, it was a very paranoid program (TD3 that is) and found many of the other tests.
http://www.dslreports.com/forum/remark,2460976~root=security,1~mode=flat

also a nice program http://www.securiteam.com/tools/5FP0L00BPS.html

Timing is critical, we've had to let some very seasoned, and long time employee's go, and they knew the lan better than anyone there. You need to be swift, and perhaps Legal... our state is a "no reason" state, we don't have to give a reason for your termination, but we did hire a security guard to escort the individuals out of the building and off the premisis. All passwords were changed right after we turned off the Network port of their PC's. They were still logged in, and we were able to use their credintials to get to places we never would of, or it would of taken a week or more to crack their pass's, because it did in fact take a week ;) It's got to be a well thought out plan.
GL!
-rich
0
 

Author Comment

by:rfuller02
ID: 10909982
Rich,

Thanks for the sites. Good stuff. I'm thinking of writing a VB app to accomplish some of this. Have you done anything like that? I'm thinking in terms of something that would check for all batch files (bat & cmd) and at least write a report listing all of them. Then, having the program parse the file looking for harmful commands. (Of course, if the person was really smart they'd copy the delete command and then rename it something innocuous. I could always have the program check the size of the program and if it looks suspect, run it against a test file to see what it does to it.) Haven't thought it all the way through but it seems like something that wouldn't be too tough to accomplish.

Any input would be appreciated and I'd give you a copy of it.

Rod
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 41 total points
ID: 10912856
Really is more about assessing the risk. We monitored the 2 admins's ports with ethereal, as well as used VNC to monitor their activities for a few days prior to their being let go. i did hack VNC's icon's to be all white instead of switching colors when we connected though. We assertained that they were totally unprepared for what was coming, and they were not emailing or ftp'ing, or cd copying any data off site. They were not doing any work at the same time ;) Again we used a Security officer we hired to enter their office with me, ask them to gather their things in a box and meet with a manager before leaving.

If you really feel that this person will hold a grudge, or is capable of the act's your trying to find, then your problem is bigger than mine. here are some other suggestions:
http://www.cnn.com/2000/TECH/computing/07/04/network.protect.idg/

Oh yes, we changed all the passes on ALL accounts after the persons were escorted from the building, while I was watching their activities, another admin was specifically denying their accounts on all PC's and Servers, and they were removed from the admin group at the same time we turned off their netwrok ports. Swift and all encompassing action was what we did.
GL!
-rich
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 15738885
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:
Split: bitter_chicken{http:#10906477} & tim_holman{http:#10906774} & richrumble{http:#10912856}

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Tolomir
EE Cleanup Volunteer
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question