Blog

IT IQ: Coffee, Tea, Security?

Working in coffee shops or other off-site casual spaces

The java monkey has got your employees in its clutches. Every day, they disappear for hours, laptops in tow, and go off to one of the coffee shops that are popping up on every city block. This is great for companies because a caffeinated employee is a happy employee. Employees would cite their reasons as giving them an opportunity to network, to avoid cubicle cramp, and to have a change of scenery that can lubricate their creativity flow. The bottom line for coffee companies is this: No free Wi-Fi, no customers. So coffee shops have gone out of their way to make connectivity easy, fast, and free, often with electrical outlets at nearly every table. These spaces have in fact become almost remote offices for many people (employed or not) because of their convenience, their almost club-like atmosphere, and with the encouragement of the coffee companies.

Our question is what, if any, security concerns might there be in using these venues for work. The cost-free perk of a change of scenery and free “coffee network” access is a good thing. Or is it? When you read the extensive fine print in any coffee shop, tea lounge, or the many edgy alternatives, terms to which you agree simply by using the service, you state that you understand that you are jumping on a public, shared, and unsecured network, joining hordes of similarly caffeinated customers, and accept the risk. But what risk?

First the coffee network is, to repeat: public, shared and unsecured. Anyone can use it, all users share the network to send and receive network data, and network traffic is not encrypted, so it is accessible to all the users and can be intercepted (snooped). The other computers on the coffee network may have been hacked and infected, putting your computer at greater risk. Even the hotspot itself may be spoofed, not set up by the coffee shop at all but by a malicious attacker. Unsuspecting or inattentive customers can fall easily into the trap and have their information intercepted or even their computer compromised, costing your company exposure, embarrassment, time and money.

So here in simple terms, is what to do to protect yourself and your employees working on the coffee network. First verify with the coffee shop the specific name of the hotspot and connect only to that. Second, make sure your computer is updated to the latest software releases. Consider using a privacy screen that allows for viewing the laptop screen only from directly in front. Finally, and most important, use a VPN to encrypt all your computer’s internet traffic over the public network. VPN’s should be used for ANY location outside the company or a network you know is secure.

VPN stands for “Virtual Private Network”. Your computer runs a VPN client that connects to a remote VPN server attached to a trusted network. The VPN technology encrypts *everthing* sent from and received by your computer, to be forwarded on to the Internet by the VPN server. So anyone snooping the “coffee network” would see only encrypted gibberish.

Key takeaway: Verify the hotspot you use is safe, and use a VPN. VPN’s are easy to acquire, set up and use. See the Links of Technical Interest page for more information.

IT IQ: Passwords Made Easy

So we have acknowledged the problem with passwords: some people opt to choose such easy ones that they are practically providing an open invitation to hackers. Like the one stated in the previous post: PASSWORD, while hard to believe, is actually quite commonly used. The user may alternate between caps and lower case, thinking that is really shaking things up, but that doesn’t delay the hack-fest even a little bit. The question for anyone serious about his or her IT Security now becomes how to deal with this precarious predilection.

Let’s cover what we know. Exactly why do people choose easy passwords?

  • Reason #1: Because they must memorize passwords, not write them down;
  • Reason #2: But complex passwords are too hard to remember;
  • Reason #3: We all have too many accounts and passwords to deal with;
  • Reason #4: And we must change our passwords regularly!

Now for number one problem: The human brain. I am giving everyone an out by saying that forgetting could directly relate to the massive amounts of information we have floating around in our cranial hard-drive. Picking a complex, hard to guess password also (ironically) means a password that is very difficult to memorize, and very easy to forget.

Then there’s storage. We often forget things like anniversaries, birthdays, names, and appointments. Now imagine trying to commit 20-30 or more different passwords to memory. Geez. Now it’s getting really complicated. So we want to write down our passwords, just as we do our important dates.

Conventional password wisdom says do not use the same password for more than one account. Thus begins the next problem. Most people have accounts for email, banking, bills, and social media, to name only a few, and good practice means that each should have its own distinct password. Therein lies the rub. If every individual account must have its own password, that’s a lot of passwords to create.

And if we continue to follow conventional wisdom, passwords should be changed regularly––say monthly or quarterly. There’s the final rub. Let’s say we succeed in figuring out the perfect password. Now we have to do it all over again on all of our accounts. Often. Most people would exclaim, “You’ve got to be kidding me!”

So let’s address each of these concerns.

One must memorize passwords, not write them down.
This one is easy! I’m saying you should write down your passwords! Wow! But this is really the only way to insure you don’t lose your passwords. Just be sure to write them down the old-school way: off-line and on paper, along with the accounts and login names associated with them. And store that paper in a safe yet accessible place. You can even take a copy traveling with you; just guard it like your passport, storing it away from your computer.

One must create complex passwords.
Unfortunately this is true. Password cracking software is easily available that can automate at great speed the checking of your passwords against commonly used passwords and dictionaries of common words, even in other languages. Cracking software can also check against common special character patterns, such as using ‘@’ for ‘a’. So it is really important to make good, hard to guess passwords.

The best passwords are long, much better than shorter passwords that use lots of numbers and special characters. Longer passwords take longer to crack. So how to make a long password that you can easily memorize? (Because you don’t want to check your paper all the time!). The “secret” is to use “pass-phrases”. Pick a song lyric or favorite quote or really any phrase memorable to you. Make it at least 15 characters long, the longer the better, up to the limits of the password field. You can even (or might have to) mix in numbers and special characters. Then write down the pass-phrase on your paper.

But I have too many accounts and passwords to deal with.
No way around this one. You really should have a different password, or better a pass-phrase, for each account. This isolates the damage to you if any one password gets stolen. Of course not all your accounts are equally important. Perhaps you use the same password for your different streaming music accounts without much worry. But bank, social media and other important accounts should each have their own, unique pass-phrase. Consider the damage to you of unauthorized access to each account then make your decision.

If managing all these different pass phrases becomes too much of a burden then consider using a Password Manager. This is software you purchase that manages all passwords and pass-phrases for you. You enter one, master password to unlock all the others. So you now only have to remember the master password. But that master password must be a long, complex pass-phrase because it is now the single point of access to all your passwords and accounts. Password managers can be used on all of your devices, including tablets and smart phones, with passwords sync’ed between these devices. Password managers can load your browser with your web-based accounts and auto-fill-in the login and passwords for you. Slick! Password managers can create extremely long and complex passwords for you, a different one for each account, and memorize them all.

And we must change our passwords regularly!
This used to be the recommendation from IT security experts, but not so much anymore. Change passwords infrequently, say once a year or two, or don’t change them at all. Or if you use a Password Manager, change only the Manager’s password. Why this new advice? Because changing passwords, from good, complex, protected passwords to new good, complex, protected passwords can be difficult and risky. Difficult to think up a new, complex password, difficult to make the change and not risk mistakes, and difficult to update your password records, either on paper or within a password manager. If you build strong passwords and protect them carefully, regularly changing them brings little additional benefit.

I’ll close on a final note. More and more sites and services are making Multi-factor Authentication available, authentication (verifying that you really are the authorized user) that includes a second “factor”, in addition to a password, to authenticate a user. That added factor is usually a text code sent to your mobile phone, but other factors can be used, such as finger prints. Chances are low that both the password and phone are stolen. In general Multi-factor Authentication is a very good practice and you should switch to it for your high-value accounts.

As always, you can write to me with any questions, suggestions or comments.

IT IQ: The Case of the Perilous Password

I am starting my series titled “IT IQ” to cover some of the most common questions I am asked, or situations I encounter. Here is the debut post, starting with the most humble and yet most perplexing of topics:
The Password.

There are a million tales in the IT Security consulting world, ones that keep professionals in this field gainfully employed by day and tossing and turning at night. I have dealt with many that can keep me occupied for weeks peeling away layers of complexity. But surprisingly, even after all these years, one of the IT security questions that I am asked most often is about passwords and password security. In fact, I have even had executives at big companies express concerns over this topic, usually after an attack has occurred or information has been compromised.

The issue, succinctly phrased is: Why is it that, despite widespread and highly publicized caveats, so many people continue to use easy-to-guess passwords? Why is it that they don’t heed well-disseminated warnings about creating a password that cannot be easily determined? And the highly anticipated sequel to this topic, of course, is: How to prevent history from repeating itself.

There is a very simple explanation for why this problem occurs in the first place. Even geniuses that can memorize the minutest details about everything under the sun sometimes find themselves struggling to recall their password. Multiply that by multiples, since each of us has many. So the most logical strategy that seduces the average human is to choose a word that is easy to remember because it is significant in some way. In my experience, that usually means one of the following: name of children; name of pet; name of birth city, or home address. The problem is all of these are fairly easy to find, especially given our ubiquitous presence on myriad forms of social media.

Then there are the real security defeating selections. Yes, believe it or not people still use PASSWORD for their password. They really do. Why? It’s easy and most people I have talked to who do this say they were planning to go in and change it shortly after they opened an account, but then they never got around to it. Likewise with the old, unreliable 1234567 or its many permutations. Here, for your perusal and entertainment, are the 25 most common passwords as reported in The Telegraph (http://www.telegraph.co.uk/technology/2017/01/16/worlds-common-passwords-revealed-using/):

123456
password
12345678
qwerty
12345
123456789
football
1234
1234567
baseball
welcome
1234567890
abc123
111111
1qaz2wsx
dragon
master
monkey
letmein
login
princess
qwertyuiop
solo
passw0rd
starwars

(For anyone mystified by qwertyuiop, check out your keyboard. Likewise qazwsx)

So despite the agitation caused by this seemingly simple to change behavior, it continues unabated. Most people will say that regardless of what they read and know about attacks and hacks, they never think it will happen to them.

My advice is therefore that the IT Security team in every company has to accept as a given that some employees will always choose to use one of the easiest, most findable passwords ever and in doing so, may put competitive information at risk. The question of how to deal with this challenge is the subject of the next blog post. Spoiler alert: There is hope…

You Can’t Take It With You: Discussion Framework

Presented at RSA Conference USA 2017

During the RSA USA Conference 2017, in San Francisco, I facilitated a Peer-to-Peer session, held on Thursday, February 16, at 4 pm. The session title is:
You Can’t Take It With You! How to Manage Security When Personnel Depart (Session P2P2-R11)

The session description is:
How can you manage information security when people leave your organization? Expanding on the popular 2016 P2P session, let’s talk best practices for managing IT security for the off-boarding process.

This blog posts on the topic of my Peer-to-Peer session and presents the discussion framework I used in the session. It includes topics for consideration, including some that we did not have the opportunity to talk about in the session.

Context for discussion
  • “Off-Boarding” processes involves both People and Technology
  • Departure types – People
    • Human, emotional, belonging/identity aspects
    • Employees
    • Contractors
    • Interns
    • Guest workers
    • Visitors
  • Departure types — Process
    • Individual
      • Resignations (voluntary)
      • Terminations
      • Contractual
      • Internship
      • Visits
    • Group
      • Reorganizations
      • Spin-offs
      • Outsourcing
      • Organizational sales
      • Contractural
  • Team – cross functional
    • Planning
      • HR, Legal, Risk Management, IT, Payroll, Facilities, Physical Security
    • Process execution
      • HR, Legal, IT, Payroll, Facilities, Physical Security
  • Policy & Process design
    • Some call this “Off-boarding”
    • Processes different for different departure types
    • Policy framework, authoring, update
    • Process definition: A process that links HR, IT and other groups, to ensure personnel access to information systems, networks, applications and physical locations is disabled.
    • “Checklist” approach for consistency and completeness
  • Training, Operations & Audit
    • Tabletop exercises
    • Controls monitoring
    • “Residual” access
    • Incident response
Risks for consideration (particular to this issue)
  • Company information on personally owned computing devices and computing services
    • Forcing use of company-owned devices
    • Forcing management of personally owned computing devices
    • Restricting through policy company information uploaded to computing services
  • Departure of people in special roles, such as sys admin, manager, security, audit
  • Shared accounts (yes, they shouldn’t but maybe do exist)
  • Reluctant departures
  • Contacts back to the business
  • Special relationships with vendors and / or customers
  • Social media monitoring
  • Transition periods
    • End-of-day, end-of-contract, wind-down, guesting
  • Controversial: Moral and psychological balancing
  • Model for addressing risk and mitigation
Issues for consideration
  •  Events vs. transitions
    • Immediate departure events with no access
    • Transition phases with access limitations
  • Complete knowledge of every department impacted by departure
    • Different for different companies, divisions and job descriptions
    • Address really custom stuff, like special privileges, access and assets
  • What has the departing person got? (asset inventory & retention)
    • Internal network access
    • Remote access
    • Systems access
    • Internal application access
    • External application access
    • Social media access
      • Intentional upload
      • Unintentional upload
    • Computing assets
      • Laptops
      • Smart phones
      • Portable disks (data and backup)
      • Memory sticks
      • Other storage devices
    • ID badges
    • Credit cards
    • Authentication token devices
    • Company applications and data on personal devices
    • License recovery
    • Any and all other company-owned property
  • Exit interview
  • Archiving & information stewardship
    • Assignment & responsibilities of new ownership
    • Do not delete accounts, but make them inactive, with new ownership
    • Attribution risk?
    • Records review and assimilation
    • Scheduled destruction
  • Legal requirements
    • Intellectual property ownership and monitoring
    • Personal property ownership
    • e-discovery mitigations and restrictions
  • Other
    • Impulse to take
    • Prediction: HR -> legal -> IT (behavioral analytics)
    • Most property is taken within 90 days of departure
    • 50% admitted to taking property after departure
    • Most digital assets are taken via email, cloud, memory stick
    • Target critical roles for monitoring

Please contact me with any additions, ideas or questions on this material. I will update these framework notes with the feedback I receive.

 

You Can’t Take It With You: Discussion Notes

Presented at RSA Conference USA 2017

During the RSA USA Conference 2017, in San Francisco, I facilitated a Peer-to-Peer session, held on Thursday, February 16, at 4 pm. The session title is:
You Can’t Take It With You! How to Manage Security When Personnel Depart (Session P2P2-R11)

The session description is:
How can you manage information security when people leave your organization? Expanding on the popular 2016 P2P session, let’s talk best practices for managing IT security for the off-boarding process.

The session was almost completely full, and almost every one contributed to the conversation. A variety of points of interest were made, coming from different backgrounds and issues, with talk flowing around the room. This is the direct connection opportunity Peer-to-Peers sessions give within the larger conference, attended by more than 40,000 people.

Shortly after the session concluded I wrote out notes capturing what I remembered of the conversation, which I share here.

  • Defense contractor needs to track much more closely activity during employment, and before and after termination; looking to fold in social media activity
  • Onyx software to track activity
  • DLP is used to track activity, but the package used was biased toward Windows, which was a problem in a mixed platform environment
  • Network segmentation for departures
  • Most concerning activity happens just before, and within 30 days after termination
  • HR is often involved, but not prepared for IT-oriented issues
  • Large group changes, in the specific case a merger, overwhelmed HR and IT processes
  • Particular roles cause concern; specific case cited was sales people leaving with customer lists
  • People issues and technology issues
  • Identifying residual data can be particularly difficult for people who have had different roles through the years; existing processes focus on cleanup of the current (last) job, but have difficulty moving back through the previous roles
  • Risk incurred by transition periods, where some access is provided after termination or departure announcement
  • Concern about resignations, where the organization has no control visibility until the departure is announced by the person
  • Contractors are not trained to the level of employees, leading to risk
  • Issues with company data on personal devices; what access, impose agent control, how to reclaim or remove data upon departure
  • Issues balancing privacy with monitoring, particularly in countries with differing privacy requirements
  • Who is the driver of departure processes? It varies. Sometimes HR, sometimes Legal, never IT Sec. Driver gives momentum which supports funding and teaming

Please contact me with any additions, clarifications or questions. I will update the notes with the feedback I receive.

RSAC USA 2017: My Agenda

The RSA USA Conference for 2017, in San Francisco, took place last week. Each year my experience is similar: the time is so compressed, the experience is intense, I meet great new people, and I always learn something new.

Below I have copied my agenda for the week, so you know what sessions I attended. Please contact me if you have any comments or questions about these sessions.

Mon 2/13  ——
10a – 12p  SEM-M05
How-to-Series: Year One Innovators and Entrepreneurs, David Blumberg, Michael DeCesare, Theresa Gouw, Patrick Heir, Steve Hero, Jay Leek, Troels Oerting, Ted Schlein, Cat Zakrzewski

1p – 4:30p  ISB-M01
Innovation Sandbox: Top 10 most innovative startups

Tue 2/14  ——
8a – 10:30a  Keynotes
* Planning for Chaos, Zulfikar Ramzan, CTO, RSA
* Brad Smith, President, Microsoft
* Sweating the Small Stuff on a Global Scale, Andrew Young, SVP/GM, Intel Security
* The Cryptographers’ Panel (Paul Kocher, Whitfield Diffie, Susan Landau, Ronald Rivest, Adi Shamir

1:15p – 2p  EXP-T09
Regulating the Internet of Things, Bruce Schneier

2:30p – 3:15p  EXP-T10
Ted Schlein and Michèle Flournoy on the Future of Security and Defense

3:45p – 4:30p  HTA-T11R
Meet and Greet with the macOS Malware Class of 2016, Patrick Wardle, Synack

Wed 2/15  ——
8a – 8:45a  PNG-W02
Beyond Stuxnet: State of the Art in Cyberwarfare and Weapons, Kim Zetter, Gary Brown, Oren Falkowitz, Roy Katmar

9:15a – 10 a  EXP-W03
Hacking Exposed: Real-World Tradecraft of Bears, Pandas and Kittens, Dmitri Alperovitch, George Kurtz, CrowdStrike

10:30a – 12p  Keynotes
* The Seven Most Dangerous New Attack Techniques, and What’s Coming Next, Alan Paller, Michael Assante, Ed Skoudis, Johannes Ullrich, SANS

1:30p – 2:15p  PRV-W10
Resurrecting Privacy in the Cloud: A Privacy Engineering Implementation, Michelle Dennedy, Alissa Cooper, Michele Guel, Harvey Jang, Cisco

2:45p – 3:30p  GRC-W11
Crown Jewels Risk Assessment: Cost-Effective Risk Identification, Doug Landoll, Lantego

4p – 5:00p  Keynotes
* Radical Innovation: Revolutionizing the Future of Cybersecurity, Hugh Thompson
* The Great A.I. Awakening: A Conversation with Eric Schmidt, Google

Thu 2/16 ——
7a-7:45a BOF2-R01C
Birds of A Feather: Multifactor Authentication Redefined, Wendy Nather, Duo Security

8a – 8:45a  AIR-R02F
One-Hit Wonders: Dealing with Millions of Anomalies, Chris Larsen, Symantec

8:45a – 9:15a SBX2-R1
Ransomeware, Drones, Smart TVs, Bots: Protecting Consumers In the Age of IoT, Terrell McSweeny and Aaron Alva, Federal Trade Commission

9:15a – 10a  FON1-R03
Focus-on session: One-Hit Wonders, Chris Larsen, Symantec

10:30a – 11:40a  Keynotes
* Topics of Leadership and Teamwork with Dame Stella Rimington, MI5

1:30p – 2:15p  PDAC-R10F
How to Delete Data for Realz: This Presentation Will Self-Destruct In…, Davi Ottenheimer and Ian Smith

2:45p – 3:30p  FON3-R11
Focus-on session: How to Delete Data for Realz, David Ottenheimer and Ian Smith

4p – 4:45p  P2P2-R11
You Can’t Take It With You! How to Manage Security When Personnel Depart, Kenneth Morrison, Morrison Consulting

Fri 2/17 ——
9a – 9:45a  EXP-F01
The Future: Revealed, Ben Jun and Hugh Thompson

10:15a – 11a  MBS-F02
IoT End of Days, Chris Henderson, IBM

11:30a – 12:15p  CXO-F03
Corporate Security: Where the Physical and Digital Worlds Collide, Shawn Henry, CrowdStrike

Departing Personnel: Discussion Framework

Presented at RSA Conference USA 2016

The RSA USA Conference for 2016, set in San Francisco, started today in just a few days. At the conference I will be facilitating a Peer-to-Peer session, scheduled for Thursday, March 3, 2016, start at 2:10 pm, in Moscone West Room 2021, and titled:

Saying Goodbye: Managing Security for Departing Personnel  (Session ID P2P3-R08)

My last blog post discussed a set of risks to consider when managing security for departed personnel, considering departure of people in special roles, shared accounts, reluctant departures, contacts back to the business, special relationship with vendors and customers, social media monitoring, more detail on personally-owned assets, and departure transition periods.

This is last blog post on the topic of my Peer-to-Peer session presents the discussion framework I will use in session, and includes some open questions on risk and mitigation that I hope the group will consider. Check back as I may add content to this discussion framework during the week.

Context

  • Types of people
  • Types of people departures
  • Types of group departures
  • Departure timing

Threat model

  • Systems and application access we don’t know about
  • Shared accounts we don’t know about
  • Departures of personnel with privileged access (SA, DBA, NA)
  • Reluctant departures
  • Cultural differences
  • Inappropriate contacts back to the organization
  • Social media disclosures, intentional and inadvertent
  • Partner and customer disclosures
  • Information assets they have and where they’ve stored it
  • Storage on personally-owned devices
  • Legal or privacy violation from intrusive survey
  • Leakage during transition periods
  • Unclear responsibility for information assets reclaimed
  • Reclaimed assets destroyed too soon, or kept too long (legal risk)

Controls

  • Appropriate design decision team, linking HR, IT, ITSec, Risk Mgmt, Payroll, Facilities, PhysicalSec
  • Foundational policy, communicated and tested
  • Set the stage for departure with good processes and controls during employment
  • Defined process threads with tailored to the departure context, with tested control points
  • Appropriate operations team
  • Risk avoidance, transference, acceptance
  • Checklist(s)
  • Evergreen: regular process renewal, regular training
  • Internal and external audits, with accountability and deadlined remediation
  • Management of personally-owned devices??
  • Remanent steward (manager?) controls inactive reclaimed assets

Questions

  • Monitoring after departure; risk, resources, harassment?
  • Inspection of personally-owned devices and personally-owned external accounts?
  • Timing of the end of access?
  • Conflicts between the design and operations teams?
  • Who should own the information left behind?

These Peer-to-Peer sessions provide the opportunity for an open, intimate discussion owned by the participants where the details of the discussion stay in the room. I hope this framework, and the questions I pose, spark insights and actionable ideas that can be implemented upon return.

Departing Personnel: Security Risks

Presented at RSA Conference USA 2016

The RSA USA Conference for 2016, set in San Francisco, starts in just a few days. At the conference I will be facilitating a Peer-to-Peer session, scheduled for Thursday, March 3, 2016, start at 2:10 pm, in Moscone West Room 2021, and titled:

Saying Goodbye: Managing Security for Departing Personnel  (Session ID P2P3-R08)

My last blog post explored in depth specific issues to consider when managing security for departing personnel, including transition vs. “event” departures; reviewing specifics of the organization within which the personnel worked; the importance of inventorying impacted information assets; specific issues from the use of social media; exit interviews; information archiving and stewardship; and legal considerations. Today’s post turns to exploring risks around managing security for departing personnel, considering departure of people in special roles, shared accounts, reluctant departures, contacts back to the business, special relationship with vendors and customers, social media monitoring, more detail on personally-owned assets, and departure transition periods.

Managing company information on personally-owned computing devices, laptops, smart phones, and computing services is a challenge even for those not departing the organization, but an even greater challenge for departing personnel. The foundation for managing this risk is set by policy. Each organization should decide how much control to exert. Most organizations restrict the use of company information on personally-owned devices and services, while others require the use of company-owned and provisioned devices and software, including company management, through software, of devices. Compliance with regulatory requirements influences this decision. Once determined, the organization sets down their requirements in a clear statement of policy, ensures all personnel covered by the policy understand it, and monitors for compliance. For the policy to be respected there need to be enforcement actions for violations.

Open question: is there any good way to monitor for company information on personally-owned computing devices and computing services after departure?

People in customer contact roles, such as sales, sales-support, marketing, and service are successful because they build relationships with customers. People in purchasing and supply roles also often work to build relationships with suppliers, to secure better terms, to build trust and reliability. A similar risk are those individuals with significant contact back to the organization following departure. These relationships can present a risk after departure if they are abused against the organization’s interest. This is true generally, but also can involve inappropriate disclosure of company information. The foundation for managing this risk is set by policy, with controls placed through hiring and confidentiality agreements.

People in roles with special privileges in the use of information assets, such as system administrators, database administrators, network engineers, IT security, audit, and managers in special roles, also can present risks leading up to and after departure. But these roles present risk at work, before departure, so it is essential that controls already exist, anchored by policy, to minimize risk of abuse of these special privileges. These controls typically include use of authentication tokens for access, logging of all access and activities, manager confirmation for special actions, and immediate suspension of privileges upon notice of departure.

Shared accounts are always a risk, as they provide no attestation directly to one individual. They shouldn’t exist, but often they do, ironically often system accounts used by systems and database administrators and network engineers, accounts with special, powerful privileges. These accounts can be particularly risky after departure, providing privileged access to systems even after the normal accounts of a departing person are locked or terminated. Shared accounts must be prohibited by policy, configurations designed and implemented so direct use of system accounts is unnecessary, and ongoing monitoring and audits of the direct use of system accounts.

Reluctant departures can involve significant risk. These are individuals who are not departing voluntarily, who may be angry, hostile, aggressive, and looking for retribution or revenge. One outlet for their retribution is inflicting damage on information assets. Here is a challenging balance between watchful awareness and professional respect. The accounts of individuals departing involuntarily should be immediately locked or terminated upon notice of termination.

Another challenging situation are those departures that move through a transition period before leaving. The period can be as short as the end of the business day of notice, or the wrap-up of a contract, or, in the case of senior management, may be as long as a few months. Immediate yet phased restricting of privileges rather than immediate account locking, is one strategy for enabling a productive, respectful termination period while minimizing risk. But special privilege account access should be terminated immediately upon notice.

As noted in a previous blog post, accounts on social media are a particular challenge. The foundation for managing this risk is set by policy, with controls placed through hiring and confidentiality agreements, Yet monitoring can be really difficult, time-consuming, and at risk of raising issues of privacy.

Open question: Is there any good way to monitor for company information on personally-owned social media accounts?

My last blog post on the topic of my Peer-to-Peer session will outline the discussion framework I will use in session, and include some open questions on risk and mitigation that I hope the group will consider. But the wonderful nature of these Peer-to-Peer sessions are that the discussion is owned by the participants, not by me in the role of facilitator. I expect a lively conversation!

Departing Personnel: Security Issues Part 2

Presented at RSA Conference USA 2016

The RSA USA Conference for 2016, set in San Francisco, starts next week. At the conference I will be facilitating a Peer-to-Peer session, scheduled for Thursday, March 3, 2016, start at 2:10 pm, in Moscone West Room 2021, and titled:

Saying Goodbye: Managing Security for Departing Personnel  (Session ID P2P3-R08)

My last blog post explored in more depth specific issues to consider when managing security for departing personnel, including transition vs. “event” departures, reviewing specifics of the organization within which the personnel worked, the importance of inventorying impacted information assets, and specific issues from the use of social media. Today’s post continues this theme of exploring issues.

Almost all departures involve an exit interview, usually with a member of the Human Resources (HR) team. While it is rare that IT or IT Security are present at the interview, it is essential that we contribute to the content of the interview. IT-specific content would include a review and confirmation of the information assets, including accounts, internal and external, and recovery of equipment. It would also include mention of specific policy points where legal responsibility extends beyond the date of departure.

Almost all departures involve a “residue” of information, created by or used by the departed person. This information is retained in the internal and external accounts, both application and system accounts, and on the equipment. Good security practice required an identifiable owner for all information. Following the departure ownership of this information must be transferred to a “custodian”, perhaps the direct manager but perhaps someone in a custodian role. By policy it is clearly understood and communicated that the custodian is not liable or responsible for the created information itself, attribution, but only to safeguard and manage it.

Next is to address the question: what to do with the information left behind?

Depending up the role of the departed person, there might be some process for review of the created information, before transfer to a replacement person, or archiving, or deletion. Out-boarding process design should account for this review, for critical roles.

In the case of transfer to a replacement person, that new individual likely will be integrating the acquired information with their own, making attribution challenging. The best and easiest solution for this is the retain an intact, digitally signed copy that would be used if later any question arises.

Most organizations have a policy for information retention and destruction, balancing the concerns for storage burden, possible future use, and legal risk of unnecessary retention. Archived information from departed personnel should follow this process. Perhaps review this retention and destruction process to be sure it accommodates this category of archive.

There are legal issues involving IT and IT Security for departed personnel. Already mentioned is the requirement to reduce legal risk of unnecessary retention. The counterpoint to this is policy and process in place to safeguard information that falls under the category of required e-discovery, and this information may be from departed personnel. There is also the need for policy and process to set the boundaries and clear demarkation between organization-owned and personally-owned assets, including computing equipment and intellectual property, and how these assets are to be used in conducting the business of the organization.

My next blog will turn to a set of risks to consider when managing security for departed personnel, considering departure of people in special roles, shared accounts, reluctant departures, contacts back to the business, special relationship with vendors and customers, social media monitoring, more detail on personally-owned assets, and departure transition periods.

Departing Personnel: Security Issues Part 1

Presented at RSA Conference USA 2016

The RSA USA Conference for 2016, set in San Francisco, is less than a week away. At the conference I will be facilitating a Peer-to-Peer session, scheduled for Thursday, March 3, 2016, start at 2:10 pm, in Moscone West Room 2021, and titled:

Saying Goodbye: Managing Security for Departing Personnel  (Session ID P2P3-R08)

My last blog post outlined a framework for understanding, planning and managing various types of personnel departures. Today’s post, and the next, explore in more depth specific issues to consider when managing security for departing personnel.

Many personnel departures come about after advance notice, providing the benefit of time to plan for these transitions and manage through them. Referring to the framework outlined in the last post, almost all organizational transitions, that impact groups of people, occur with advance notice. Most individual departures also occur with some amount of advance notice. But some departures are immediate, “events” rather than “transitions”. Event departures still require the “off-boarding” team to follow defined processes, but at speed, with the risk of missing an important task. This makes use of a checklist even more important. And unique to event departures, the first task often is to negotiate for more transition time.

The framework for managing security for departing personnel includes establishing a sound process. This process must include steps to develop a full knowledge of the organizational structure and the information resources used that are impacted by the departure. In practice developing this understanding is unique to each organization, division, or department. There are likely to be reporting and teaming relationships, information assets, and system privileges unique to the role of the departing person. To successfully manage security and decrease risk you have to ask good questions, probe and document, then implement your process to control and transition access.

You have to answer the question: what has the departing person got? Answering this leads to the identification of an inventory of information assets and privileges that need to be secured. Among these:

  • Internal network access
  • Remote access to internal networks
  • Access to specific systems
  • Access to internally hosted applications
  • Access to externally hosted applications
  • Accounts on social media on behalf of the organization
  • Computing assets
    • laptops
    • smart phones
    • portable disks (data and backup)
    • memory sticks, and other storage devices
  • ID badges
  • Credit cards
  • Authentication token devices
  • Company applications and data on personally-owned devices
  • Software license recovery
  • Any and all other property owned by the organization

I stress again that a good checklist is essential to manage a good departure.

Accounts on social media are a particular challenge. People often have personal accounts, where exposure of organization information can really only be addressed by policy and monitoring, and monitoring is really difficult, time-consuming, and at risk of raising issues of privacy. For accounts on

social media on behalf of the organization, it should be clearly agreed by established policy that upon creation these accounts are owned by and managed on behalf of the organization. If possible there should be an opportunity for the organization to control the account without the aid of the departed person.

My next blog post will continue walking through the various issues faced with managing security for departed personnel, including exit interviews, archiving and information stewardship, and legal requirements.