Downsizings leave firms open to digital attacks

From...

By Jaikumar Vijayan

(IDG) -- During the current wave of corporate layoffs, companies should be extra vigilant about digital sabotage by disgruntled ex-employees, according to security analysts. As employers pare down their payrolls to cut costs, many companies may unwittingly be leaving themselves vulnerable to hostile actions by discharged workers, including theft of confidential company information, illegal use of a company's IT resources and hidden "logic-bombs" that can destroy vital data.

"During times of an economic slowdown, it is common to see an increase in security incidents" caused by frustrated and hostile former employees, said Michael Rasmussen, an analyst at Giga Information Group Inc. in Boston.

That's why it's generally a good idea to thoroughly beef-up existing security processes just before, during and immediately after large-scale layoffs, analysts said.

Common mistakes that contribute to the problem include a failure to disable the passwords and accounts of former employees, a lack of formal rules for the return of company laptops and handhelds and a failure to plug holes that make it possible for an ex-employee to exploit a former colleague's user account to gain illegal access.

IDG.net INFOCENTER Computerworld main page Computerworld's topic-oriented communities Computerworld's IT career center Free daily newsletters Related IDG.net Stories Former IT worker pleads guilty to damaging Verizon computers Cybercrime costs on the rise in U.S. Companies move to combine physical, IT security efforts Features Cool gifts for cool nerds Mastering e-commerce by degrees Fast-track training puts nontechies in IT jobs Visit an IDG site Choose a site: IDG.net CIO Computerworld Darwin Dummies.com GamePro.com The Industry Standard ITWorld.com InfoWorld.com JavaWorld LinuxWorld Macworld Online Network World Fusion PC World Publish.com UnixInsider IDG.net search

Such problems are exacerbated during times of mass layoffs, particularly when IT staffers are given little advance notice and don't have enough time to finish the technical chores necessary to prevent sabotage, said Chris Wysopal, a director at @Stake Inc., a Cambridge, Mass.-based security firm that last week issued an advisory on the subject.

"If you don't have a very good termination policy and good record keeping of all the different access points that people had as employees, you are going to miss something," Wysopal said.

"Unfortunately, though, a lot of the time we hear from companies wanting to tighten their firewalls and intrusion-detection systems only when they are actually laying off people," he added.

The key is to be prepared to deal with internal threats in the same manner as you would deal with external threats, said Matt Kesner, chief technology officer at Fenwick & West LLP, a law firm in Palo Alto, Calif.

Fenwick & West's policy for securing its networks after an employee leaves depends on the job role and level of access that the person had, Kesner said.

Measures range from simply disabling access and changing passwords to reconfiguring the network and changing IP addresses, remote access procedures and telephone numbers. A help desk staffer's exit would probably result in little more than basic changes, while the exit of a person with administrative access would drive much broader changes, Kesner said.

Fenwick & West plans to begin rotating the IP addresses of its virtual private network on a regular basis.

In addition, the law firm is implementing new token- and digital certificate-based access and authentication procedures aimed at addressing such issues, Kesner said.

It's crucial to keep track of employee movement and the kind of access they have in an organization, said Tom Montouri, a director of information security at Verizon Communications Inc. in Tampa, Fla.

Verizon, the victim of employee sabotage last May (see "Former IT worker pleads guilty to damaging Verizon computers," link below), has strict procedures when employees leave the company or are terminated. For instance, when an employee is terminated, it's the responsibility of the immediate supervisor to ensure that all access privileges are cut off, accounts are deleted and all assets are accounted for, Montouri said. In addition, the security group checks with the employee's supervisor to make sure that all processes are followed, he said.

Such steps augment internal security measures to ensure that all employees are given no more than "least-privileged access" to whatever services and functions they need to do the job, Montouri said.

Security at stake

@Stake's guidelines for limiting threats from disgruntled former employees:

• MAINTAIN a log of all the perimeter connections made by employees. When someone leaves, it becomes easier to identify and close the holes this way.
• CHECK for and close unofficial accounts that may have been set up by employees.
• TERMINATE user accounts and disable passwords.
• WORK together with all relevant departments to ensure smooth implementation of security processes.