Companies are paying a price living by the adage, ‘Keep your friends close and your enemies closer,’ according to security specialists.
While the proverbial anonymous hacker gets most of the media attention, the vast majority of computer incidents involve former or current employees. The danger
current and ex-employees pose is obvious: they know the system and some know where the valuables are. While experts agree no system is impenetrable, there are ways to minimize the risk and — should you fall victim to an attack — collect and preserve evidence.Preparing for the worst
The first step towards a more secure infrastructure starts with hiring. KPMG‘s vice-president of forensic technology services Rene Hamel says enterprises need to hire a security company to perform basic background checks. Make it a point, he says, to phone the previous employer and ask, Would you hire this person again? If the answer is no, digging deeper into the candidate’s background would be in order.
IT staff pose a special problem for companies, according to Hamel and Robert Reimer, partner, information security at PricewaterhouseCooper Canada. Reimer says if you suspect someone is leaving the company angry, you need to know what kind of privileges and responsibilities he or she has.
“”For instance, if they’re an IT person they are probably quite aware of the control weaknesses within the information systems and possibly special codes, and that obviously means you have to take a different tack as to how you manage that person’s termination,”” Reimer says.
“”If it’s somebody in sales, for instance, you need to be wary of them taking away a customer list. In order to effectively deal with that you need to have a termination check list in place.””
Swinging the axe
Reimer says a lot of planning goes into firing IT staff and it’s very important not to let them know the axe is falling. Before the individual is let go, he recommends compiling a profile of the physical and virtual access he or she has to the company. This will include security passes, keypad codes, network IDs and passwords. He says users can be deleted from card access systems safely enough, but a blanket deletion is unwise.
“”Things to be wary of are if that individual has been around for a long time they may have hard-coded approvals in the actual systems themselves,”” Reimer warns. “”Often times they are so integrated in the how the system and how the processes work that if you simply delete an ID or revoke it that you could cause other parts of the system to fail.””
After the pink slip
Once internal issues have been addressed, it’s time to look at the implications for the outside world. Reimer says if they haven’t already done so, employers should get them to sign a confidentiality/non-disclosure agreement. This provides legal recourse should an employee take information. A communications process needs to be in place to warn banks, suppliers, customers, etc. that this person no longer has the authority to approve or commit the company to any transactions.
And don’t forget to show them the door.
“”They’re either walked out of the company directly or they’re supervised while they clean up so they’re not walking out with special files or diskettes, customer lists, that sort of thing,”” Reimer says. “”I also suggest that once an individual has left you more closely monitor your access logs, especially the remote access logs for any unusual activity, because that may be a tip off that that individual still has knowledge of another way of getting in the system.””
Hamel agrees. He says logs play an important role in placing someone behind the keyboard — the IT equivalent of a smoking gun. He cites the example of a guy who hacked into the company three weeks after being fired. The logs showed he was accessing the system every few days via a dial-up number. When the company figured this out they added the call display feature to their lines and soon discovered the calls were being made from the former employee’s home. The hacker was arrested, he says, and the police subsequently “”found all kinds of equipment from the company as well that he had ‘borrowed.'””
Evidence and investigation
Anytime a company expects litigation will be involved, computer forensic specialists should be called in, he says. Their job, he says, is to recreate a system on the day in question — files, programs, time stamps and ensuring the integrity of the time stamps.
A flawless recreation of a system is easier said than done, he adds, citing the example of a day care customer. The lone IT staffer discovered an employee was downloading child pornography. It an attempt to preserve the evidence she copied it to a CD-ROM and re-installed the system to clear it of all the porn. Her good intentions only made matters worse.
“”When you copy files directly to a CD or a floppy, all the access times to that file are changed to the time that you copied the files. We needed the access times to actually show who was working at the time, who actually did the download,”” he says.
“”Recovering, analyzing and presenting electronic as evidence is a legal issue, not an IT issue.””