Computerworld - My company has a formal process to deal with staffers who are leaving our company. It helps us close accounts quickly and deal with complicated situations like firings. We don't want someone to find out from our team that he's lost his job, rather than from human resources or his manager. So we must follow a complicated series of steps. Recently, we had a misstep.
In our process, the PC support group disables network and e-mail accounts, other teams disallow access to the appropriate accounts on their systems, and finance ceases mobile phone and remote-access service and recovers hardware from the employees.
I'd always felt we were doing well at balancing the need to act quickly with the need to protect the feelings and confidentiality of departing employees. Then I was called and told that someone who had left a month ago, let's call him "Nick," had logged into a critical server and that important files were missing.
A junior staff member, whom I'll call "Bob," had taken over Nick's work and couldn't find the test root key when he tried to issue test private keys for our customers. While searching on the server that held these files, he discovered that someone had logged in using Nick's account and deleted it.
In a public-key infrastructure (PKI), everything boils down to the root key. If you have the root key, you can issue your own keys for any part of the system and pretend to be whomever you like. Without our root key, we could issue no new keys and would have to rebuild our PKI from scratch -- a daunting prospect.
Alarming Activity
At first, I wasn't too worried, since this was just the test system. I had Bob disconnect the machine from the network and give me the IP address the connections were coming from. I then asked the network team to trace it. The address fell within a range we allocate for remote access, and it could have come only from Nick's house. It turns out that Nick's Windows account had been properly closed, but the telephone company hadn't shut down his line, and his Unix account was still active.
Even more alarming were the initial reports from the analysis of the disconnected machine. Unix stores a history of previous commands users have run, and it showed that Nick's account had conducted a vast cleanup operation. The contents of directory after directory had been listed and then deleted.
This could be a sign of normal tidying up --
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
