The Importance of Exit Procedures

There is an interesting article in the San Francisco Chronicle about a former IT manager turned "vengeful computer hacker" who logged in to his former company's mail server and turned it into an open mail relay for spammers to abuse. He also deleted the Exchange server's mail database and critical system files, preventing the server from being able to boot. After five years, he has finally been sentence to a year and a day in prison for "unauthorized access into a protected computer, recklessly causing damage."Of course it's understandable that the former employee, Steven Barnes, is getting punished for wreaking vengeful mayhem on his former employer, but what about the system administrators who failed to protect their systems from getting access by the former employee? What happened to them for allowing an old password allowing remote administrative access to the company's mail server and who knows what else? I guess what I'm wondering is whether the company even has exit procedures to handle what takes place when an employee leaves.

In a related Network World article, it's reported that Barnes "was upset after Akimbo representatives showed up at his door in April 2003 -- one carrying a baseball bat -- and [took] both his work and personal computers." Again, I have to wonder what exit procedures (ones not involving baseball bats) the company had in place at the time -- procedures that should have addressed the changing of all of Barnes' passwords.

No matter how big or small, every company needs to have exit procedures (although I guess a sole proprietorship can be exempted here). The procedures need to address more than IT issues, so they should be jointly produced by the HR department and others that may include IT, building/property security, and HR. Company contact directories will need to be updated, RFID access and ID cards revoked, and accounts disabled, deleted or updated with new passwords.

Exit procedures should not be taken lightly; the impact of not following them, or not having them at all, can have dire consequences on a company and, as we see with this article, the attacker, too.

John H. Sawyer is a Senior Security Engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.