Who dropped their pants?

I am developing a new reality game show for intrusion analysts and investigators. I'm calling it
"WHO DROPPED THEIR PANTS?"

There are several ways systems get compromised, but more often than not it's due to a misconfiguration or sloppy management of controls. I constantly refer back to something Charl van der walt of sensepost said a few years ago about sysadmins being able to screw up only once. That has stayed true. I've analyzed countless incidents where the root cause was determined to be gross misconfiguration leading to compromise. The vendor could come in and instruct the sysadmin to disable the host firewall to make a specific piece of software able to function. A sysadmin could tire of testing and rush a system in to production before it was ready. A list of passwords could be stored on root of the drive in cleartext. You get the idea. Someone is dropping the pants on a system right now in your organization in order to get something to work. Why, for many people what's the first troubleshooting step when there's a firewall involved? Disable the firewall of course. Well, did they turn it back on? My most favorite line in the past has been "That system is a Mac running OSX, are you sure it's compromised?"..this being a question I receive from clients when I alert them that something is amiss.

The first thing I want to know is why in this day and age are people still being given absolute control over a system when their job is to manage only one functional role held by the system? Take a database server for instance. Does the DBA need full admin rights over the operating system, or do they need limited or no rights to the operating system, and full rights over the database they are responsible for? When the untrained has more access than required and they are knowledgeable enough to inadvertently do damage the organization is begging for trouble. Unfortunately this is an all too common occurrence in the IT field. Hence the name of my new game "WHO DROPPED THEIR PANTS?" So for us as responders what do we do?

Well, you want to find out who has access to a system and what rights do they have. Then you want to find out when they were logged in to the system and were they logged in at or around the time of compromise. In addition, is the proper logging in place to determine their actions at the time of compromise? These are just a few things to keep in mind when determining "WHO DROPPED THEIR PANTS?"