Most organizations, when they are about to sack an administrator, give little thought to what to do if things go horribly wrong. This is because most sacking decisions tend to be made hastily rather than at leisure. When a regular employee is fired, their password can be changed and they can be escorted out of the building. Administrators aren’t regular employees and although 99.9% of administrators will go quietly if they suddenly lose their job, position, 0.1% of administrators might decide to take a parting swipe if they feel they have been treated shabbily.
Management in most organizations does not recognize how thoroughly dependent their business is on their IT infrastructure. They realize that IT is important, but don’t spend a lot of time wondering about what would happen if critical systems stopped working. This is because they’ve employed systems administrators to worry about these things. What they don’t seem to spend time thinking about is the sort of damage that the person who is paid to look after these systems is capable of doing. If they did think about this, they would probably be a lot more circumspect when planning to change the employment status of anyone with administrative privileges on the network.
Organizations should put a lot of thought into how they deal with terminating the employment of systems administrators. It is all about risk management. In most cases they have nothing to worry about because the person that they employed will act professionally even if the change in employment status is not necessarily handled in a professional manner. But a risk exists, however remote, that the person will not behave professionally. Just as an organization takes regular backups to guard against a one in a thousand chance of hardware failure, they need to take precautions when preparing to let go of a systems administrator.
There are a couple of important things to remember when thinking about firing a sysadmin. The first is that if an organization has employed a truly nefarious systems administrator, and by that I mean someone who is crazy smart and who will lash out if fired, they are probably up the creek. This is because the true evil genius administrator has already prepared everything in advance before you started thinking about this sort of thing. This is the sort of person who has put deadman scripts into the system that wipe data when they don’t receive a regular disarm message. If an organization suspects that it has this sort of administrator, they need to find a way to get that person to go on vacation so that they can have someone else go through everything looking for possible tripwires and backdoor administrative accounts. A nefarious administrator who has gone away on holiday expects to return to work won’t have things up so that the system falls apart because they are away. If the person checking for these tripwires and backdoor accounts is unable to find anything, the most likely reason is because the suspicions that such a thing had been setup were groundless.
The second thing to remember is that a rogue administrator will dip their toe into the pool before trying something. If you’ve got alerts set up to detect the creation of extra administrator accounts and the systems administration team is aware that such alerts exist, this will work as a preventative. IT systems come with a whole lot of ways that you can audit the behavior of systems administrators. Most organizations should do this as a matter of course. Once you have a good set of logs, you can track the activities of a systems administrator before you fire them.
Finally, before you let even the most trusted systems administrator go from a company, make sure that a complete backup has been taken. In fact if you plan ahead, you perform a disaster recovery trial to ensure that all the backups work as advertised so that you know for a fact that if you have missed something and you lose some of your data to a revenge attack, you know that you will be able to recover it properly.
Organizations need a plan to deal with systems administrators who leave under less than ideal circumstances. If they don't have one and something bad happens, they will wish they had thought of it before they let that person go.
