Mark said:
I'm the new network admin. The owner of the company is the only other person
above me and he didn't authorize the installation of any such software. It
was not due to company policy. It was a bad network admin. Removing it isn't
at my risk... removing it is a due of my job!
Steve Riely got it right with the articles he referenced. How do you secure
the network from the person in charge of overseeing that it's secure? What
steps do you take when network admin leaves to make sure he/she didn't leave
backdoors, keyloggers, software bombs, etc.??
What I need now is to find a company that can come in with special
equipment/software that can detect such software/packets, etc. log it, track
it, remove it and then be willing to present the evidence in court. How does
one go about find a *good* company like this? Does anyone have any article
that reference picking such a company... what questions to ask, etc.
Nasty situation. Getting in a contract organisation is going to be the
quickest and best fix. It is not going to be cheap.
It really depends on your infrastructure, number of severs, number of
workstations, etc. Re-installing from known good media will possibly be
your best bet. If you think there will possibly be a prosecution
pending, you will need to make a good forensic copy of any and all
affected media beforehand. Preservation of evidence is key in this and
is best left to trained personnel - it may already be too late to persue
a successful prosecution - it depends how knowledgable the previous
admin was.
It is possible to reference all the executables installed on the system
against something like the National Software Reference Library and that
is something that can be done quite simply to ensure system integrity.
(it won't check for misconfigurations, that's up to you!)
I can't make any recommendations for companies to provide the service in
the US. If you were in the UK, it would be a different story.
Bogwitch.
