星空传媒

In many organisations, there is one individual who stands tall over the network and key systems. He or she is not only responsible for the smooth running of the company's IT services, but also does most of the work. We all know the type of person. They're the one we turn to when things go wrong or tricky technical issues need resolving.

That's half of the problem, though. No-one else knows the extent of their knowledge. We trust them implicitly, but don't really know with what it is we trust them!

People like this often seem to be part of the fixtures and fittings, but most employees move on eventually. The break can be very sudden, perhaps for personal reasons rather than the desire to earn more money, and it may well be wrapped up in bad feelings on both sides.

The gamekeeper can become a potential poacher - and there may be no assistant gamekeepers able to step into the role.

An obvious worry is that the person on their way out knows a large number of administrative username-password combinations and other credentials covering applications, servers, networking equipment and physical access within the building.

Does anyone else know the complete set of critical passwords, or at the very least have access to a sealed envelope containing these items for use in an emergency? There are many instances of where this process has not been put into place. Worse still, are there undocumented ways into the network from the outside (remote access to firewall management, for example, or any SSH servers running in unexpected places)?

We have seen the effects that sudden departures can have on system security. In one case, we received a request for immediate help from a small company that was about to dismiss its network manager. Fortunately, we were able to send along a consultant the very next day to join the emergency audit team, roll up his sleeves and tackle all the remedial work that needed doing.

IT policies and procedures

Organisations cope best when they have carried out some preparation. What, then, should you do?

To begin with, avoid single control. Don't have key systems in the hands of a lone administrator. Role rotation is a good idea, forcing all involved to work in a more orderly manner. Maintain documentation - keep track of network structure, systems, users, events and responsibilities (and carry out regular reviews of this information).

It's imperative to build procedure. Try to wrap all significant changes to equipment and personnel in documented procedures, and remember to keep them updated as technology moves on and the organisation changes.

Wherever possible, avoid manual maintenance. In addition, always keep logs - retain access records, making sure that these can be viewed quickly and easily if there is a security alert.

Note that we have not spoken of the creation and promotion of an Information Security Policy. This should be a given. In fact, all the suggestions itemised thus far ought to have their equivalents in a properly managed security policy. Similarly, we recognise that quality management along the lines of ISO 9001 provides a good framework into which our recommendations may be placed.

Practical steps to be taken

It鈥檚 imperative to build procedure. Try to wrap all significant changes to equipment and personnel in documented procedures, and remember to keep them updated as technology moves on and the organisation changes

The worst possible case is that of a formerly-trusted systems administrator being caught and found guilty of some misdemeanour and marched off the premises, meaning that the gnawing doubts start immediately.

The primary fear is that some form of access is still available to the individual concerned, either by normal channels that have not been closed down or by undocumented connection points and alternative credentials. After all, these days many employees need remote access in order to do their job. In the case of eithe a network manager or system administrator this might well be a complex, many-headed arrangement.

Similarly, there is a worry that key systems have been compromised in a way that may leave them open to a simple attack in the future. This may not even be deliberate, for the person leaving might simply know about unfixed vulnerabilities that have not been documented, and of which erstwhile colleagues are blissfully unaware.

However, this is no time to sit and worry! There will be a number of actions that have to be carried out in a fairly short space of time, possibly by new or inexperienced staff.

First up, have a meeting. A short gathering of all the relevant staff with the aim of assigning responsibilities and making sure that resources are used in the best possible way. Of course, if external help is needed, it's best to ask for it as soon as possible. One obvious division of labour is to have some of your staff focus on detection - in other words looking to see if anything anomalous is happening while others work on prevention - and take concrete steps to close any holes as soon as possible.

Immediate action: on the day

Remove access. Disable relevant accounts, change all administrative passwords and collect any keys or other physical tokens. Then scan the perimeter. Check the network's visibility from the Internet, making sure that all services offered are there for a good reason.

Also, carry out a network inventory. Make sure that there are no unexpected systems on key networks (this may involve physical inspection to find things like unexpected modems). Quarantine relevant PCs. The system administrators' own desktop PCs should not simply be passed on to others, but kept in isolation until any security issues are resolved.

Maintain user awareness, too. Let all staff know that there is a heightened state of security concern (with an increased need to report any unusual events), but without going into unnecessary detail or spreading alarm.

Make sure that you debrief leavers. Assuming that the departure is reasonably amicable, a final review may be of value to the individual's successors.

Beyond these points are the personnel issues such as the signing of non-disclosure and similar documents (subject, of course, to the individual's contract of employment).

Having been involved at the sharp end, we know that this is not an insurmountable problem. Most of the threats to security and network management can be countered.