Rogue Sysadmin Sabotage Attempt


A terminated system admin attempted massive data deletion with a script that would have attempted to wipe out all disks on all servers.

"If this script were executed, the total damage would include cleaning out and restoring all 4,000 ABC servers, restoring and securing the automation of mortgages, and restoring all data that was erased."

It was detected before it could execute.

Think about your conversion from tape-based backups to disk based backups. Would that script have wiped out the disk pools that store your most recent backups?

Unless you have clear separation of duties and rights between system admins who support production and those who administer the backup software and servers, this would be a tough risk to mitigate. I‘ll bet that most shops have the same system admins for both the production servers and the backup infrastructure. If so, the rogue ‘wipe all’ script would take out the disk-based backups also.

That’d be a bad day.