More tips before you fire someone
Another article from the same author that was ironically written on September 11th. This article deals with more ways to make a network secure.
Web Informant #262, 11 September 2001: More tips before you fire someone
strom.com
Recently, I wrote on the problems of downsizing and "layoff
rage." I asked my friend and security consultant Fred Avolio
to look at this problem from a computer and network security
angle, and suggest some safeguards. Be forewarned: there is
no magic; it is not easy. Take it away, Fred.
It looks like the problem is with the angry or otherwise
unhappy (perhaps ex-) employee. And so we might do
everything we can to handle the expected results of forced
termination. If we can't satisfy or mollify him, we shut
down access to computers, we watch the terminated closely as
he packs up his boxes up (both good ideas), or we
unceremoniously escort him to the nearest door (probably not
the best). We make sure there is little chance of the newly
disenfranchised from setting a logic bomb, destroying data,
or otherwise showing his "layoff rage."
Some of these are wise precautions, but they often come too
late. Employees may have already gotten wind of the planned
job action and already taken their own action. Further,
angry ex-employees have attacked corporate networks from the
outside, sometimes vandalizing web sites. Also, unless we
plan and have some basic tools to help, we're almost sure to
leave some gate unlocked.
Years ago, a friend left the employ of Digital Equipment
Corporation (back then they were the second largest computer
vendor). Months later, he was still able to connect to the
company's internal network, log into his still-active
account on various UNIX servers, and otherwise wander around
the entire corporate net. He was not disgruntled at all,
merely curious. What went wrong? Someone in HR forgot to
tell the IT group. And the IT group did not control all of
the computers on the network anyway.
It all boils down to the more basic problem of access
control. Or should I say "the lack of access control," to
systems, networks, databases, etc. Yes, yes, of course we
have access control to our networks and systems. It's just
not very good. Or not documented. Let me make some
suggestions.
First, do a survey of systems and users on your network. If
you are in a large company, this is going to be a major
effort. (I fought back the urge to write "nightmare", as I
don't want to scare you off.) But the larger the company,
the more critical this is.
Second, start tightening up system and user access on your
network. In a recent column, I wrote the following about
loose access control: "Inside, we often treat everyone ...
as trusted. ... This problem is one of granularity in access
control. With insufficient granularity, access control is
broken down into perhaps 3 areas: outsiders (they don't get
access), insiders (they get access to user accessible
files), and special users, such as system administrators.
With more granular access control, ... individuals are
granted access to only what they need to access."
avolio.com
Third, grab some software to help you out. An interesting
product to check out is "Hark!" from Camelot, Ltd.
(Disclosure: I once wrote a column for their newsletter. I
have no other affiliation.) Using network-based agents
(monitors) it first helps you observe access control, and
then to make it into an access control policy -- tightening
things up, as I suggest.
camelot.com
Finally, establish some corporate policy statements, along
these lines:
1. No computer system may connect to the corporate network
without being approved and administered by corporate IT.
2. No user account may be added to a computer system
connected to the corporate network by anyone outside of
the IT staff.
3. Corporate IT will not create any user account on any
system (be it router, PC, e-mail server, access server,
or any other computer) without notification from the HR
department that the user is an employee on record.
4. Network node and user account creation and deletion will
be logged and tracked by the IT.
5. Except for emergency actions, no employee will be
terminated before HR has notified the IT department of
the intention and the date, and the IT department has
acknowledged.
6. The corporate auditors will audit compliance to these
policies.
There are no shortcuts. And I warned you it wouldn't be
easy. You suspected that already. But, as tedious as this
starts to sound, and as involved it will be for those in a
very large organization, the process is not very complex.
Think about this. There is no more complexity in this for a
10,000 employee, 12,000-node network, than in that of a 10-
person company. There's more to do and lots more to
catalogue. Yet, the tasks are the same for the large
company, as for the small. They will have to be repeated
more often. You'll wish someone had done it right long ago,
when there were fewer people and things to consider. It's
always harder to correct the situation than to do it right
the first time. But once you do correct it -- if you remain
diligent and stay the course -- you'll be in a much better
situation in the future. Even if the economy and
management's bad planning require that you let a few people
go. And remember what Winston Churchill said: "When you have
to kill a man, it costs nothing to be polite."
Entire contents copyright 2001 by David Strom, Inc.
David Strom, david@strom.com, +1 (516) 944-3407
938 Port Washington Blvd., Port Washington NY 11050
Web Informant is (r) registered trademark with the
U.S. Patent and Trademark Office.
ISSN #1524-6353 registered with U.S. Library of Congress. |
