Tales from the IT security frontline. This is a new monthly Computerworld series featuring real-life war stories told by Australian IT security managers. The authors and companies involved remain anonymous. Sandra Rossi surveys the field.
"...what we are dealing with here is technology that has evolved faster than our ability to police it." - From Tom Clancy's Netforce.
With these words ringing in my ears I bunkered down for another long night. The Australian company where I work was being attacked by a group of disgruntled former employees and as an IT security staffer I was at the front line. Mass retrenchments are every IT security manager's nightmare. To add to the confusion, speculation is rife about whose head is next on the chopping block.
Earlier in the week the human resources manager was handing out notices and reassuring those that were left that their jobs were secure, only to see the HR's job axed the very next day.
The entire workplace feels like it is under siege and naturally I am concerned about my job as IT staffing levels were also cut.
Advice and reality
Retrenched IT staff are the worst to manage, because they are armed with full knowledge of the company's computer system and business processes making them a formidable enemy - often more dangerous than some of the more talented computer hackers.
I have been asked to advise on retrenchments more times than I can remember. In theory, the retrenchments should be a straightforward process where staff are taken into a meeting room, individually or collectively, and told of their redundancy. During the meeting, system administrators can stop access to computer systems, deactivating remote access as well as swipe-card entry to the building. Retrenched staff are then asked to collect their personal belongings and reminded they are not to collect any e-mails or files.
In reality, this doesn't always occur and that's certainly not how it happened here.
It's really a balancing act, because on the one hand the system has to be protected and that means stopping access immediately. On the other hand, human resources want the exit to be "dignified", which means leaving access until former staff are out the door; that approach gives irate staff time to leave behind a nasty surprise. It seems simple I know, but this is how the retrenchments were handled here.
System administrators were given a list of names a couple of days prior to the announcement, but weren't told when staff were going to be advised, just that the retrenchments were going ahead.
This was mistake number one, because the administrators began stopping access right away, which was a pretty revealing an ugly omen for some, and believe me staff didn't take too kindly to the surprise.
I suppose you could say staff that arrived at work and found they had no computer access were pretty much "tipped off" about what would happen next.
They still had access to the building and documents on their desktop PC.
When the big day did arrive there was still confusion. In fact by the time the meeting advising staff they were retrenched came to an end, system administrators were still busily shutting down access.
This meant there were still some staff members with access to the system. This is when the fun and games really started. One retrenched staffer returned to collect belongings two weeks after leaving the company and found she still had access. Another one tried e-mailing customer details out of the company but in the mad rush mistyped the e-mail address so it's sitting in a mailbox at a university.
I also heard one of the executives actually created a series of CDs with competitive data prior to termination. This is retrenchment, new millennium-style.
The unfolding drama wasn't new to me; I had seen a bit of mischief at previous jobs where the company where I was working retrenched 800 staff.
There wasn't as much chaos, but one administrator was able to exact a little revenge.
Once again a list of staff names were given to system administrators before the announcement.
One administrator noticed his wife's name on the list and promptly e-mailed it to all 800 staff and signed it off from the managing director. Naturally, havoc soon erupted.
Another company wasn't so lucky when a system administrator noticed her name on the retrenched list and left immediately. Soon after the company's Internet access stopped. Every time the IT support guys brought it back up, it stopped again. She also deleted customer details and created fake orders.
Days passed before staff realised the malicious attacks were coming from a former system administrator. The company lost plenty of business, customers were unable to place orders and it cost about $140,000 in technical time.
To soothe my tale of woe, colleagues told me of similar experiences at the companies where they were working, making me realise this is a fairly widespread problem. We have dubbed it the 'system administrators from hell' issue.
I shall leave you with this final example which occurred in a government department. Public servant Joe Citizen was straight out of university and keen to impress, working extra hours and taking work home on a departmental laptop. Concerned the laptop may get stolen Mr Citizen downloaded a popular encryption system, PGP, from the Internet for installation. He encrypted the hard disk with a password known only to himself. Soon after he was given four weeks notice, so the laptop was duly handed in at the exit interview. Several weeks later a minister, who shall remain nameless, needed a critical report from the laptop; calls were made to Mr Citizen who refused to assist. Legal advice was sought and the department soon found out Mr Citizen was not compelled to help out, which was too bad because it cost the department $80,000 to hire a consultant to redo the same report.
- On his way out the door, a retrenched computer programmer inserted a crypto-virus into the system. It encrypted files one by one, starting with those of the owner, but soon spreading to others. While the company regularly backed up data, by the time it detected the virus, even large portions of the backups were unusable.
- Whilst still employed, a banker copied personal details, transactions and transfers for key, high-value customers that he knew were using the bank to minimise their income tax. Upon receiving his redundancy notice, he e-mailed the information out. He then threatened to submit this information to the Tax Office, unless the bank paid him.
- A contractor inserted a time bomb into the program he was fixing. Every 30 days, the contractor needed to enter a password, or else the program deleted itself and everything else on the computer. When the bank terminated his contract, the contractor revealed the existence of the time bomb and demanded that he be re-instated.
- Prepare by having employees sign a "Responsibility Statement" when they start that clarifies ownership of company information, e-mails, and the like.
- Stop access to computer systems, remote access and building access as soon as employment is terminated.
- Make sure retrenchees can't run up bills on company ISPs, mobile phones, etc.
- Change any "group" accesses that are still needed by those left behind.
- Make sure the staff still there, or the system administrator, can access all files including e-mail.
- Provide a process so that personal files and e-mails can be copied, under supervision, at a later time.
- If it's absolutely critical to keep a retrenchee for a few days, carefully monitor their activity.
- Make sure everyone enlisted to help with the retrenchments is comfortable with what's happeningDON'T- Stop access before staff have been told what's going on.
- Allow retrenched staff access to computer systems - any computer system.
- Let staff collect personal files or e-mails on the way out.