Saying Good-Bye to Employees

The point has been made earlier in these pages about the need for ironclad procedures when a departing employee has had access to sensitive information, passwords, dial-in numbers, and the like. Your security procedures need to provide a way to keep track of who has authorization to various systems. It may be tough to keep a determined social engineer from slipping past your security barriers, but don't make it easy for an ex-employee.

 

Another step easily overlooked: When an employee who was authorized to retrieve backup tapes from storage leaves, a written policy must call for the storage company to be immediately notified to remove her name from its authorization list.

 

Chapter 16 of this book provides.detailed information on this vital subject, but it will be helpful to list here some of the key security provisions that should be in place, as highlighted by this story:

 

A complete and thorough checklist of steps to be taken upon the departure of an employee, with special provisions for workers who had access to sensitive data.
   

A policy of terminating the employee's computer access immediately--preferably before the person has even left the building.
   

A procedure to recover the person's ID badge, as well as any keys or electronic access devices.

 

Provisions that require security guards to see photo ID before admitting any employee who does not have his or her security pass, and for checking the name against a list to verify that the person is still employed by the organization.

 

Some further steps will seem excessive or too expensive for some companies, but they are appropriate to others. Among these more stringent security measures are:  

 

Electronic ID badges combined with scanners at entrances; each employee swipes his badge through the scanner for an instantaneous electronic determination that the person is still a current employee and entitled to enter the building. (Note, however, that security guards must still be trained to be on the alert for piggybacking--an unauthorized person slipping by in the wake of a legitimate employee.)

 

A requirement that all employees in the same workgroup as the person leaving (especially if the person is being fired) change their passwords. (Does this seem extreme? Many years after my short time working at General Telephone, I learned that the Pacific Bell security people, when they heard General
Telephone had hired me, "rolled on the ground with laughter." But to General Telephone's credit when they realized they had

 

a reputed hacker working for them after they laid me off, they then required that passwords be changed for everyone in the company!)

 

You don't want your facilities to feel like jails, but at the same time you need to defend against the guy who was fired yesterday but is back today intent on doing damage.

 

Don't Forget Anybody

Security policies tend to overlook the entry-level worker, people like receptionists who don't handle sensitive corporate information. We've seen elsewhere that receptionists are a handy target for attackers, and the story of the break-in at the auto parts company provides another example: A friendly person, dressed like a professional, who claims to be a company employee from another facility may not be what he appears. Receptionists need to be well-trained about politely asking for company ID when appropriate, and the training needs to be not just for the main receptionist but also for everyone who sits in as relief at the reception desk during lunchtime or coffee breaks.

                                                                        

For visitors from outside the company, the policy should require that a photo ID be shown and the information recorded. It isn't hard to get fake ID, but at least demanding ID makes pre-texting one degree harder for the would-be attacker.

 

In some companies, it makes sense to follow a policy requiring that visitors be escorted from the lobby and from meeting to meeting. Procedures should require that the escort make clear when delivering the visitor to his first appointment that this person has entered the building as an employee, or non-employee. Why is this important? Because, as we've seen in earlier

stories, an attacker will often pass himself off in one guise to the first person encountered, and as someone else to the next. It's too easy for an attacker to show up in the lobby, convince the receptionist that he has an appointment with, say, an engineer.., then be escorted to the engineer's office where he claims to be a rep from a company that wants to sell some product to the company.., and then, after the meeting with the engineer, he has free access to roam the building.

 

Before admitting an off-site employee to the premises, suitable procedures must be followed to verify that the person is truly an employee; receptionists and guards must be aware of methods used by attackers to pretext the identity of an employee in order to gain access to company buildings.

 

How about protecting against the attacker who cons his way inside the building and manages to plug his laptop into a network port behind the corporate firewall? Given today's technology, this is a challenge: conference rooms, training rooms, and similar areas should not leave network ports unsecured but should protect them with firewalls or routers. But better protection would come from the use of a secure method to authenticate any users who connect to the network.

 

Secure IT!

A word to the wise: In your own company, every worker in IT probably knows or can find out in moments how much you are earning, how much the CEO takes home, and who's using the corporate jet to go on skiing vacations.

 

It's even possible in some companies for IT people or accounting people to increase their own salaries, make payments to a phony vendor, remove negative ratings from HR records, and so on. Sometimes it's only the fear of getting caught that keeps them honest.., and then one day along comes somebody whose greed or native dishonesty makes him (or

her) ignore the risk and take whatever he thinks he can get away with.

 

There are solutions, of course. Sensitive files can be protected by installing proper access controls so that only authorized people can open them. Some operating systems have audit controls that can be configured to maintain a log of certain events, such as each person who attempts to access a protected file, regardless of whether or not the attempt succeeds.

 

If your company has understood this issue and has implemented proper access controls and auditing that protects sensitive files--you're taking powerful steps in the right direction.

 

Chapter 11