If we start with the first question, this would depend on a few circumstances. First though, if it comes to this stage it’s Game Over, we don’t have a network anymore and have to start from scratch.

When it comes to this specific case in order to answer your question I would have to know what n3m0 did during the hours he spent in the server room. What n3m0 did was really a sledgehammer approach; it left all kind of footprints in different logs. If a server had crashed randomly twice during the night I would have investigated it, since I’ve created the fictional character n3m0 I can say that yes I would have noticed that something was seriously wrong.

If there had been a more skilled attacker it would depend on which of my customers’ networks had been targeted. With central monitoring and log servers this would sound all kinds of alarms. With the logs kept on the computer I would just be guessing, I might not even know if the server had been restarted.

As soon as the server has been compromised we can’t trust it anymore, it will lie to us (and keep a straight face too). My trusty old PowerEdge would lie to its mother if an attacker told it to.

As for the second question, hopefully no one would be so cruel to “my” network(s) It comes down to the trust you put to the employees and then their motivation to do so. Skill only enters into it if the attacker is working alone. n3m0 or someone else could have pulled this off without any kind of knowledge about computers, he would just need a cell phone and a friend.

What are your thoughts?