Solved

Changing of the guard

Posted on 2004-04-23
9
388 Views
Last Modified: 2010-04-11
I am doing some consulting for a client who is thinking of changing their IT leader. They are concerned about the incumbent leaving behind something nasty if they do make a change. Does anyone know of a software package that would help minimize this risk by doing at least the following and hopefully more: (small network of 100 PC's and a dozen servers)

1) Check all automated/scheduled tasks on all PC's/servers and provide a list of unrecognized or all items
2) Check all startup locations on all PC's/servers and provide a list of unrecognized programs.
3) ??????
0
Comment
Question by:rfuller02
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +2
9 Comments
 
LVL 5

Accepted Solution

by:
bitter_chicken earned 43 total points
ID: 10906477
If the computers have different hardware and software installed, it would be a prohibitively laborious task to compile a list of services to 'allow'.

Virus scanners will most likely do the job - ( www.symantec.com or www.mcafee.com ) - if you turn on the predictive mode. Online scanners can help if cost is an issue: http://www.experts-exchange.com/Security/Q_20963141.html

Another good security precaution would be to reset the firewall (or install a firewall!) - so that any odd connections should throw up a warning (eg trojans).

If all the computers have the same setup, It might be advisable to use a hard-drive imaging program (win2000/xp have a rollout function which does this; or a program such as norton ghost: www.symantec.com ) to completely clean the computers. By saving images on a hidden partition for each computer, you can then also get them back to optimum running state at will.

Hope this has helped,
bc :-)
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 41 total points
ID: 10906774
Just tell the incumbent that a full network, password, login and vulnerability audit have been commissioned to ensure there are no changes between now and when the new IT supplier takes over.
This should be enough to convince them that the risk of ILLEGAL system compromises or service disruption will be detected and reported to the police.
Put yourselves in their shoes - would you risk your professional reputation just because you've a chip on your shoulder ??  ;)
Think about:

1)  Terminating all remote access to the 3rd party (modems, VPNs, firewall rules)
2)  Changing ALL admin passwords on EVERYTHING
3)  Running patch assessment - ie check everything is up to date... Microsoft SUS is a start ?
4)  Run a vulnerability scan across the entire network (something like Retina would do the trick)
5)  Run up-to-date virus scans on everything
6)  Ensure firewall policies do not have liberal access rules in them
7)  Documenting everything, ensure full event logging is in place with a new admin account, just in case things turn out for the worse...



0
 

Author Comment

by:rfuller02
ID: 10907470
Timing is critical in this. If I was devising something nasty to leave behind, I'd set it to start when I didn't do something and I'd make sure that there were multiple points of entry.

I agree in that I can't imagine anyone risking their reputation, career and possibly jail time to get back at someone but the owners of the company are bringing this up, I just provide a service.
0
Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

 
LVL 5

Expert Comment

by:bitter_chicken
ID: 10907693
you could always just wipe every computer and start again! That would be exciting ;-)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10909761
I'm not sure you could prevent a "time-bomb" as this could be a batch-file or even tagged on the end of a popular program. Anti-Virus is going to be you best friend in a windows environment, and root-kit detection can be found with various programs. One of the leaders in finding malicious code is the TDS from dimondCS.
http://www.diamondcs.com.au/?hop=supportale I've written some things on purpose to test the software, and while I was able to avoid detection, it was a very paranoid program (TD3 that is) and found many of the other tests.
http://www.dslreports.com/forum/remark,2460976~root=security,1~mode=flat

also a nice program http://www.securiteam.com/tools/5FP0L00BPS.html

Timing is critical, we've had to let some very seasoned, and long time employee's go, and they knew the lan better than anyone there. You need to be swift, and perhaps Legal... our state is a "no reason" state, we don't have to give a reason for your termination, but we did hire a security guard to escort the individuals out of the building and off the premisis. All passwords were changed right after we turned off the Network port of their PC's. They were still logged in, and we were able to use their credintials to get to places we never would of, or it would of taken a week or more to crack their pass's, because it did in fact take a week ;) It's got to be a well thought out plan.
GL!
-rich
0
 

Author Comment

by:rfuller02
ID: 10909982
Rich,

Thanks for the sites. Good stuff. I'm thinking of writing a VB app to accomplish some of this. Have you done anything like that? I'm thinking in terms of something that would check for all batch files (bat & cmd) and at least write a report listing all of them. Then, having the program parse the file looking for harmful commands. (Of course, if the person was really smart they'd copy the delete command and then rename it something innocuous. I could always have the program check the size of the program and if it looks suspect, run it against a test file to see what it does to it.) Haven't thought it all the way through but it seems like something that wouldn't be too tough to accomplish.

Any input would be appreciated and I'd give you a copy of it.

Rod
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 41 total points
ID: 10912856
Really is more about assessing the risk. We monitored the 2 admins's ports with ethereal, as well as used VNC to monitor their activities for a few days prior to their being let go. i did hack VNC's icon's to be all white instead of switching colors when we connected though. We assertained that they were totally unprepared for what was coming, and they were not emailing or ftp'ing, or cd copying any data off site. They were not doing any work at the same time ;) Again we used a Security officer we hired to enter their office with me, ask them to gather their things in a box and meet with a manager before leaving.

If you really feel that this person will hold a grudge, or is capable of the act's your trying to find, then your problem is bigger than mine. here are some other suggestions:
http://www.cnn.com/2000/TECH/computing/07/04/network.protect.idg/

Oh yes, we changed all the passes on ALL accounts after the persons were escorted from the building, while I was watching their activities, another admin was specifically denying their accounts on all PC's and Servers, and they were removed from the admin group at the same time we turned off their netwrok ports. Swift and all encompassing action was what we did.
GL!
-rich
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 15738885
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:
Split: bitter_chicken{http:#10906477} & tim_holman{http:#10906774} & richrumble{http:#10912856}

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Tolomir
EE Cleanup Volunteer
0

Featured Post

[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recovering from what the press called "the largest-ever cyber-attack", IT departments worldwide are discussing ways to defend against this in the future. In this process, many people are looking for immediate actions while, instead, they need to tho…
There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question