Answer the question
In order to leave comments, you need to log in
How can you deal with the meanness of dismissed system administrators?
As the head of the IT department, which very often consists of system administrators, I am concerned about the question from the title. Recently there was a very unpleasant incident when one of the admins left caused serious technical damage to our organization, but they could not legally prove anything, although everything is clear to everyone. This terrible article prompted us to ask a question , in principle, we got burned on something very similar.
And what measures do you take to protect yourself and your organization from corporate sabotage and insiders ? Administrative, technical, educational ... I will be grateful for any specifics, examples, advice.
Answer the question
In order to leave comments, you need to log in
Carefully select staff, pay decently, do not conflict with the system administrator, if it’s a matter of dismissal, then find out all the passwords and other information in advance, and then really don’t let them in at the checkpoint, but probably having paid 14 days, it’s better to do them than anything to you.
The first and last argument, already described above, is that not only with the administrator, but with any employee, it is necessary to diverge so that after dismissal he can suggest what, where and how.
In small companies, a new administrator often grabs his head “what an idiot built this” and starts redoing it from scratch - in all the small companies where I worked - it was exactly like this: he came, was horrified, redid it humanly, documented it, gave a copy of the documentation to the management at just in case in electronic and paper form with all logins/passwords other than domain ones, which are linked wherever possible.
I am a lazy administrator and I had a desire to make a bookmark once in all 10 years of my work experience, but the management in the company changed to a more adequate one and the desire to make a bookmark disappeared after almost an hour of communication with the new boss.
I almost always have a person who understands IT risks in my leaders,
And it’s somehow stupid to spoil your reputation, at least - anyway, in 90% of cases, the future management calls the previous one with questions about you, beloved.
And if you want to put a bookmark, I think that the best bookmark is a letter of resignation.
About the fact that the administrator should be deprived of admin rights in 2 weeks - so what for is he needed then - change the cartridges?
If he doesn't actually do anything, he can't.
In large companies, they often find out about the dismissal at the checkpoint. The chief politely gives the things put in the box and gives parting words. Some employees think it's terribly tough, but it's actually just security. For 14 days you can give half of the salary - so that the individual calms down, but these data are intact and your nerves.
I would like to clarify:
do not let at the checkpoint
Unless to control the actions of the work of their subordinates. Almost no other way.
Why hasn't anyone thought about this situation? The admin already had a bookmark in the system, so everything was not entirely smooth, and apparently the situation was heating up for more than one month.
Have your own information security service, ideally. Things should be arranged in such a way that the actions of the administrator would also be controlled by the IS systems that are not under his control, audit of actions, all sorts of DLP. This is of course difficult and expensive, the lot of big rich corporations. For a simpler level - so that the team is like a family. And not to let anyone in there, except for prof. qualities to be attentive to personal when applying for a job.
Unless to control the actions of the work of their subordinates. Almost no other way.
And the situation is familiar. The admin before leaving (already during the internship of the new one) decided to demolish the accounting database and took the backups with him.
By the way, corporate sabotage and insider is a little different.
In normal companies, the database administrator != System administrator, and Backup administrator != Database administrator and != system
administrator It didn’t work for the right employee to get an admin login / password, I just installed updates and patches, after which we coordinated the reboot time of the machine.
At the same time, he monitored the creation of backups, and I made sure that the backups did not disappear anywhere in an unknown direction.
By the way, the included audit is very helpful in this in case of a step to the right / left - a letter to the mail of the admin + manager, and then - reports and dismissals, including under the article.
If the "admin" is worthless, then he will not have enough knowledge for a normal bookmark. IMHO, of course. And if the administrator is good and competent, then why fire him? Pay a normal salary and not conflict with him, and he won’t even think about all sorts of harmful things there. Or do you, like many others, have a desire to save money by hiring students?
Well, about the situation as a whole - I would not bang everything and everything, it's just somehow ugly. So, you can “punish” a little - drop the Internet tightly or something like that, but just in case, leave the backups in some hidden place so that the future admin, if not a fool, finds and fixes it. Well, if he doesn’t master it, let the bosses understand what a good specialist they kicked out =) Although, if the bosses “brought” him to the state of complete revenge, it’s not a sin to bang everything in a row, because it’s not good.
In my opinion, the question is not “how to fire such an administrator”, but “why didn’t we weed him out at the interview stage” is much more important. Because it is much better not to accept such people at all (or simply reduce the likelihood of such an event) than to create a security system, the very existence of which will repel normal candidates.
Do you need to work or control all kinds of assholes?
If the admin has already set the bookmark, it's probably too late to do something.
From organizational measures - the same as for any other employee related to information that is critical for the company. The administrator is responsible for maintaining the IT infrastructure through which information is processed. I would even say that more stringent information security policies should be applied to the admin.
In order to be able to reasonably say something on the legal side, a trade secret regime must be introduced in the company. It's not as scary as it seems.
Of the technical solutions for controlling the actions of the admin, I can name Wallix Admin Bastion, BalaBit Shell Control Box and ObserveIT. But in the domestic market, they have not yet received much distribution.
It is possible to hire another specialist to control the work of another and identify “holes”. To do this, it is optimal to hire under a contract for a specific period and without obligations and promises of subsequent orders. Or well-known / trusted people / offices.
cvsbackup helps a lot. Of course, if you can completely fix it, you can also remove the bakups or mess up fairly. HOWEVER, diffs can be saved and rolled out later, no problem.
And yes! Advice!
If at some certain period of time you dare to monitor the work of the administrator, for example, record everything that he types in the terminal, no matter how. Learning about it. You will get even more hemorrhoids. It is called Individual config. I don't know what the current admin is doing. But I have not used typical service configs for a long time. And some configs are generally encrypted, not because the employer, but because they are afraid that *** dyat. Often configs are the result of creative activity. And unfortunately not always gpl.
About a month ago, one of our domain administrators was fired. Fired one day.
Those. the man went to the authorities, where he was informed of the dismissal.
While the conversation was going on, the computer was seized by the information security service, the account and the pass were blocked. Whether any audit was carried out, I can’t say, I don’t know.
After leaving the administration, the admin took the SEB (economic security) and checked it on a polygraph.
Then the man was taken out of the building, accompanied by employees of the security service.
For such "inconvenience" they added money, as far as I know.
There were cases when, as already mentioned above, a person found out about the dismissal already outside the territory of the organization.
I think that it will not be possible to protect yourself (the company) 100%, but it is absolutely necessary to strive for this.
And you need to start, as correctly mentioned above, with a careful selection of personnel.
Good working conditions.
Internal documents regulating the rules for working with information resources.
Information security department, which is also involved in the audit of the existing infrastructure.
Sorry, this is my first time posting here. But how to deal with the leadership, which daily "breakfast" feeds on account of delayed wages, and meager ...? Of course, I can come to bring everything down, then fix it for two weeks until all the debts are paid. But I would like to immediately teach a lesson to understand that from tech. engineer, the entire work of the office depends on...
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question