NetSec Letter #12, 13 September 2001
Before You Pull the Plug

Fred Avolio
Avolio Consulting, Inc.
http://www.avolio.com/

Recently, in his "Web Informant" column, my friend and fellow consultant David Strom wrote on the problems of downsizing and "layoff rage." His friend, Nancie Hickok, joined him to suggest the best ways to handle layoffs to protect the dignity of the "fire-ee," while also maximally protecting the property and business of the "fire-er." (See http://strom.com/awards/258.html.) I'll look at this problem from a computer and network security angle, and suggest some safeguards. Be forewarned: there is no magic; it is not easy.

The Problem

It looks like the problem is with the angry or otherwise unhappy (perhaps ex-) employee. And so we might do everything we can to handle the expected results of forced termination. If we can't "re-gruntle" him, we shut down access to computers, we watch the terminated closely as he packs up his boxes up (both good ideas), or we unceremoniously escort him to the nearest door (probably not the best). We make sure there is little chance of the newly disenfranchised from setting a logic bomb, destroying data, or otherwise showing his "layoff rage."

Some of these are wise precautions, but they often come too late. Employees may have already gotten wind of the planned job action and already taken action. Further, angry ex-employees have attacked corporate networks from the outside, sometimes vandalizing web sites. Also, unless we plan and have some basic tools to help, we're almost sure to leave some gate unlocked.

Years ago, a friend left the employ of Digital Equipment Corporation (hundreds of years ago in "Internet-time," the second largest computer vendor). Months later, he was still able to connect to the company's internal network, log into his still-active account on various UNIX servers, and otherwise wander around the entire corporate net. He was not disgruntled at all, merely curious. What went wrong? Someone in HR forgot to tell the IT group. And the IT group did not control all of the computers on the network anyway.

It all boils down to the more basic problem of access control. Or should I say "the lack of access control," to systems, networks, databases, etc. Yes, yes, of course we have access control to our networks and systems. It's just not very good. Or not documented. Let me make some suggestions.

Observations and First Step Remedies

First, do a survey of systems and users on your network. If you are in a large company, this is going to be a major effort. (I fought back the urge to write "nightmare", as I don't want to scare you off.) But the larger the company, the more critical this is.

Second, start tightening up system and user access on your network. In a recent column I wrote the following about loose access control: "Inside, we often treat everyone ... as trusted. ... This problem is one of granularity in access control. With insufficient granularity, access control is broken down into perhaps 3 areas: outsiders (they don't get access), insiders (they get access to user accessible files), and special users, such as system administrators. With more granular access control, ... individuals are granted access to o nly what they need to access." ( http://www.avolio.com/columns/AccessControlGoneBad.html.)

Third, grab some software to help you out. An interesting product to check out is "Hark!" from Camelot, Ltd. ( http://www.camelot.com/). (Disclosure: I once wrote a column for their newsletter. I have no other affiliation.) Using network-based agents (monitors) it first helps you observe access control, and then to make it into an access control policy -- tightening things up, as I suggest.

Finally, establish some corporate policy statements, along these lines:

1. No computer system may connect to the corporate network without being approved and administered by corporate IT.

2. No user account may be added to a computer system connected to the corporate network by anyone outside of the IT staff.

3. Corporate IT will not create any user account on any system (be it router, PC, e-mail server, access server, or any other computer) without notification from the HR department that the user is an employee on record.

4. Network node and user account creation and deletion will be logged and tracked by the IT.

5. Except for emergency actions, no employee will be terminated before HR has notified the IT department of the intention and the date, and the IT department has acknowledged.

6. The corporate auditors will audit compliance to these policies.

No Shortcuts

There are no shortcuts. And I warned you it wouldn't be easy. You suspected that already. But, as tedious as this starts to sound, and as involved it will be for those in a very large organization, the process is not very complex. Think about this. There is no more complexity in this for a 10,000 employee, 12,000 node network, than in that of a 10 person company. There's more to do and lots more to catalogue. Yet, the tasks are the same for the large company, as for the small. They will have to be repeated more often. You'll wish someone had done it right long ago, when there were fewer people and things to consider. It's always harder to correct the situation than to do it right the first time. But once you do correct it -- if you remain diligent and stay the course -- you'll be in a much better situation in the future. Even if the economy and management's bad planning require that you let a few people go. And remember what Winston Churchill said: "When you have to kill a man, it costs nothing to be polite."
##

Promotions, Self and Otherwise:

Please check out a column I wrote for WatchGuard ( http://www.watchguard.com.) entitled "Foundations: Cryptogrpahy 101." at http://www.avolio.com/columns/Crypto101.html.

I send this out as the world is still realing from the events of September 11, 2001, and The Twin Towers. I'm not old enough to remember Pearl Harbor, but I do remember sitting in Mrs. Moeller's 3rd grade class, when Miss Kenney came in to tell us that our President had been killed. And I will never forget sitting in front of a seminar at Networld+Interop in Atlanta when someone came in and whispered the news to one of the other 2 teachers of the VPN Day class. And neither will you forget where, when, and how you heard. Next month's column will address security in light of this tragedy.

God save us. God bless America.