[ISN] Find them and fire them: 5 steps - Spotting and handling rogue employees before they make the news

From: InfoSec News (alerts@private)
Date: Sun Oct 28 2007 - 22:07:07 PST


http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9040018

By Jon Espenschied
October 01, 2007 
Computerworld

After my first day with a client on the regional fringe of Iraq, I was 
happy to find a room with decent air conditioning and an Internet 
connection. Then I started looking around.

My first clue something was amiss with my hotel should have been the 
double concrete barricade at the street, the metal detectors at every 
door and the airport-style X-ray machine. But what clinched it was the 
swagger of tank-top-and-fatigue-wearing American men smoking in the 
lobby, each with a semiautomatic pistol jammed down his waistband or the 
overt machismo of a dangling combat knife.

The concierge explained I'd wandered into an R&R hotel for Blackwater 
USA, which recently had been in the news for its mercenaries' 
involvement in a string of violent deaths and allegations of weapons 
smuggling. (Blackwater refers to itself as a "private military company," 
but now that Iraq is nominally self-governing, supplying personnel and 
engaging in combat there is mercenary business according to Article 47.c 
of the Geneva Conventions.)

Watching how influential or powerful people act in their off-hours can 
be telling, especially in high-stress situations. After witnessing 
Blackwater personnel engaging in unprofessional behavior such as doing 
burnouts in a jacked-up Escalade, brandishing weapons, and spewing loose 
talk about company business (not to mention public consumption of 
alcohol in an Islamic locale), none of this news is even slightly 
surprising.


Five steps to find them

It's tough to find effective and ethical people to fill positions of 
influence or power. Whether the role is that of security guard for a 
convoy out of the Green Zone or security administrator for critical 
systems, missteps can directly lead to the death of innocent people, and 
intentional abuse is the stuff of nightmares.

Worse, it's the people who really want power and influence who are most 
likely to mishandle it. I don't have a line on ways to see into other 
people's minds and evaluate their current and future ethical capacity 
and personal risk factors, but here are a few steps you can take to spot 
an internal danger before too much damage is done.

(Note: Laws and social norms regarding termination vary widely, so the 
involvement of an attorney is key to making sure any termination process 
is handled reasonably and lawfully. These opinions are not legal advice 
and may contain information that is improper for your locale.)


1. Set clear goals.

Drop authority into idle hands and corruption from power happens fast. 
Termination is an easy decision when someone simply doesn't have the 
professional or ethical rectitude to handle a job. The solution is to 
make sure employees have clear goals for their initial work, let them 
prove they can handle it, and then slowly add responsibility and 
authority. With good references and recommendations that speak to a 
person's ethical behavior and professionalism -- not just technical 
ability and certifications -- it also becomes reasonably safe to hire 
directly into positions of significant responsibility.

Clear goals should include to plans for roles and advancement, not just 
job tasks. If the opportunity presents itself, a technical staffer in an 
otherwise thankless help desk role can be given a career path to systems 
and network support or development, thereby reducing the risk of idle 
hands with authority over others' organizational identity and data. 
(This has the nice side effect of reducing overall turnover even as the 
help desk loses people to advancement.)


2. Set clear prohibitions.

Tell your security administrators and other influential tech people 
where the boundaries lie in terms of behavior, and explain the 
consequential impact -- including the potential damage -- that security 
controls have on business processes. The people at the International 
Policy Governance Association like to think they invented the negative 
directive, but there's a good idea at the core of the advice they give 
to corporate boards.

The IPGA's FAQ says that board directors ought to make "decisions and 
actions only in a proscriptive way." Proscribing, limiting or 
constraining certain actions and behaviors, "makes possible all other 
actions and behaviors [and] gives staff maximum freedom in creating 
actions to achieve the ends, while avoiding what is not acceptable even 
if it works. "

For example, implementing strict network authentication rules that block 
access by field doctors to telemedicine video feeds after two mistyped 
password entries may not be the best balance of security vs. 
functionality. Likewise, aggregation of large amounts of financial data 
may be required for regulatory compliance, even if privacy advocates 
fret over the risk. Just as military contractors ought not shoot 
randomly at crowds when someone cracks their bubblegum, enterprise 
network administrators should know it's (usually) not OK to implement 
active network defenses that launch attacks on other organizations when 
an intrusion attempt is detected.


3. Check the work results.

Measure the outcome of work processes. Don't take a security staffer's 
word about whether goals have been met, methods are actually being 
followed, or improvements made. "You and your assets are safe" can mean 
someone ticked items off a control list rather than considering new and 
emerging threats. "Don't worry about it" means you should.

Work metrics from information security staff ought to be relative to 
experience, and ongoing activities ought to be guided by predictions of 
future risk. Ask for results to be described in comparison to a similar 
time period (e.g. "security events this month compared to the same month 
last year") or a similar organization or site if no firm metric is 
available (e.g., the number of breaches or intrusions for a competitor's 
operations).

It's also worthwhile to check out what else they are doing if some 
activities are not on the agenda. Are side projects a sign of initiative 
or ulterior motives? Just as the alleged smuggling of weapons may turn 
out to be Blackwater contractors quietly backfilling equipment the that 
is in short supply for U.S. soldiers, the routing equipment missing from 
one corporate project may be serving to shore up security for another. 
Or someone may be lining their pockets when no one is looking.


4. Go and watch how they work.

It's common to see a degree of aloof behavior from technical or tactical 
staff -- a combination of pride in skills and a geek's stereotypical 
lack of social grace. Outright arrogance or lack of respect for one's 
customers, on the other hand, is a serious warning sign.

Traffic police officer Ali Khalaf described a startling pattern of 
behavior just moments before Blackwater contractors opened fire and 
killed 10 civilians last week: "As they often do, guards from the U.S. 
firm -- the largest private security operators in Iraq -- hurled water 
bottles at cars to stop traffic as they drove through." Regularly 
throwing your drink at someone implies a certain lack of respect.

If they don't have respect for end users themselves, security staffers 
likely have no respect for the work those users do or for their assets, 
whether information or infrastructure. Security tasks of import are then 
indistinguishable from a game in which the player has no risk, and the 
outcome is predictable. Do help desk staffers insult inexperienced 
users? Are trouble tickets delayed to teach people a lesson? Do 
developers delete security requirements from test criteria? As TJX 
painfully learned, today's small arrogant behaviors turn into tomorrow's 
security disaster and the next day's ongoing or irrecoverable loss.


5. Sit back and listen.

Sometimes the worst offenders just can't keep their mouths shut. By 
listening and looking, one can hear the warning signs coming from 
co-workers, other managers and even competitors. With employees using 
their own names or bragging about exploits at a named company, it only 
takes a few Google searches to uncover enlightening information. 
Personal blogs, MySpace pages, YouTube and even venerable Usenet groups 
tell stories of past or impending misbehavior.

Not every inappropriate public venting of personal frustration indicates 
that a Jon Paul Oson-style meltdown is in the offing. Sometimes an 
apparent attempt at career suicide is just a singular cry for help, not 
a pattern of risk that warrants termination. However, assertions about 
"pulling the trigger" or "I could do x" are huge, blinking warning 
signs. Tales in the past tense ought to be verified and pursued 
vigorously.


Five steps to fire them

So you find warning signs from a security staffer that constitute 
unacceptable risk, evidence of negligence or much, much worse. He needs 
to be fired, and he needs it bad. Yet most managerial resources only 
cover the process of termination from the decision through the 
"cardboard box commute" out the front door.

Little is said about handling people with significant administrative 
access, or the uncomfortable and unfortunately common problem of contact 
after termination. Here are a couple of steps to consider before and 
after the usual human resources blather about hostile terminations.


1. Safety and asset protection.

As Shaggy says when things get out of hand, "First thing you gotta @%$# 
do is do not move!" Preservation of life and safety has to be primary, 
but too much doing and not enough thinking will turn a bad situation 
into a disaster. If the person about to lose his job poses an immediate 
physical danger to others, involve law enforcement before doing anything 
else. If he poses a danger to himself, either law enforcement or 
involuntary psychiatric care help may give you a little time to assess 
how his condition affects you.

Taking a step back, it's important to consider secondary risk to life 
and limb. System operators for civil infrastructure may cause traffic 
jams, contamination or resource contention in a fit of anger that 
results in injury or worse to a far-removed third party. A vengeful 
database administrator for a pharmaceutical supply house may slip a bit 
that isn't evident until someone's grandfather gets the wrong 
prescription in the mail two weeks later.

Turn off their access or remove their rights to dangerous systems. 
Remove their rights to create or delegate to other identities. Look for 
alternate or shared accounts, and turn those off too. Don't accept 
waffling from other administrators about unchangeable passwords for 
shared accounts or other back doors; there's no better lever than 
imminent civil or criminal liability when it's time to demand change or 
pull the plug.


2. Check yourself.

When the immediate risk level settles down, take another step back to 
make sure all of the administrative ducks are in a row. Did the person 
have clear duties and limitations? Did he know the policies and 
applicable laws? Are all issues involved in the separation -- from 
background checks and training to evaluations and evidence -- formally 
documented and available?

Take a moment to ponder how the termination will go. The core process is 
pretty rote, but what tangents or mistakes may arise? Are there projects 
that will need to be picked up? Were duties properly separated and 
rotated, or does the individual have unique access or knowledge? It's 
not helpful to handle the termination smoothly only to see something 
later fall flat in your ongoing security and operations.


3. The usual.

There are innumerable sources of support for the process of terminating 
people in an ethical, legal and humane way. Beyond advice from human 
resources and legal experts, I often suggest that it's a good idea not 
to delete application, system or directory user IDs. If there is any 
practical way to remove all rights but keep the identity and activity 
record, the person's accounts should be deactivated or archived but not 
deleted.

This runs contrary to common technology-focused security wisdom, but the 
continuity of identity and activity logging is becoming increasingly 
important in industries including financial services, health care and 
defense. Organizations occasionally hire people back after a layoff, or 
a fired person may go to work for a business partner with access to the 
same resources. In these situations it's important to realize that it's 
one person -- at an account and log level -- and deletion of accounts 
may prevent that correlation.


4. Involve peers.

Every human resources book says it's undignified and legally risky to 
talk about an impending termination. However, the practical reality is 
that when the person being terminated is a security administrator or 
technical security officer, one or more of his peers must know about the 
situation. At a minimum, someone has to take over the operational and 
security duties before the termination takes place.

With proper separation of duties and rotation, it may be necessary to 
involve multiple people to handle operations, access control, monitoring 
of activities, and auditing of the overall handover. In some cases, it 
may even be necessary to involve someone whose sole duty is to watch for 
signs of collusion between the person being terminated and his heir 
apparent. I'll turn this advice around: If you're a security 
administrator or CISO and find your peer or a small number of 
subordinates took over your duties and logged your activities, don't 
hold it against them. Security people get fired differently. Don't make 
a fuss or take it personally; this is just how it happens.


5. Follow up.

People need work, and it's a mistake to think they disappear after being 
fired. The worst security blowhards and fat-fingering ne'er-do-wells I 
know are still gainfully employed in the industry, some even work the 
consulting and speaking circuits. On one hand, it's proper just to 
decline references (other than role and dates of employment) rather than 
badmouthing them. On the other hand, abstaining from comment while a 
disaster repeats itself on someone else's turf does no one any good.

I say talk. Be careful with your words, don't exaggerate, don't make 
predictive statements, don't launch into ad hominem attacks, but talk. 
Do it off the record if you must -- verbally, over a drink, in the 
hallway at a conference. What else are birds-of-a-feather sessions 
really for?

Consider that people learn from their own mistakes and that one 
organization's spectacular flop may become someone else's wise, contrite 
and diligent worker. But if an administrator or ISO swaggered and 
stomped through your world with a powder keg in his head and reached the 
point where he had to be fired, give enough information to the community 
so that people know that his reputation reflects reality.

-=-

Jon Espenschied has been at play in the security industry for enough 
years to become enthusiastic, blas, cynical, jaded, content and 
enthusiastic again. He manages information governance reform for a 
refugee aid organization and continues to have his advice ignored by 
CEOs, auditors and sysadmins alike.


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Sun Oct 28 2007 - 22:18:27 PST