Avoid Being Held Hostage: Terminating Key IT Personnel.

Terminating an Information Technology Key Employee by

John J. Sancenito Introduction The termination of a key employee can require sensitive and complicated preparations. Today, however, this process has become even more complex with greater business risks when the key employee is in Information Technology (IT). This paper focuses on many, though not all, of the preparations that may be required to terminate an IT key employee. Most importantly, this paper is not a substitute for legal advice. Before engaging in these or other preparations, consult with your legal counsel. Engage them as an integral part of your strategy to maintain business continuity, reduce business risk, safeguard intellectual property and maintain compliance with all applicable laws as you plan and complete the employee termination process. The importance of data in any business cannot be understated. Many companies spend vast resources toward protecting their internal networks from outside threats such as hackers and malicious e-mail attachments; however, most companies never apply the same scrutiny toward internal risks and appropriate controls. At best, a terminated IT employee might be uncooperative and refuse to provide administrative passwords; at worst, they could deliberately sabotage your entire computer network and cause a major business disruption. How significant are the impacts of an unplanned or poorly planned termination? Consider the following actual event1: A system administrator developed and managed a thriving defense manufacturing firm’s computer network. Angered by his diminished role, he centralized the software that supported the company’s manufacturing processes on a single server, and then intimidated a coworker into giving him the only backup tapes for that software. Following the system administrator’s termination for inappropriate and abusive treatment of his coworkers, a logic bomb previously planted by the insider detonated, deleting the only remaining copy of the critical software from the company’s server. The company estimated the cost of damage in excess of $10 million, which led to the layoff of some 80 employees. Regardless of business size, a malicious technology act can be executed instantaneously, causing immediate and potentially irreparable harm to a business, its employees, assets, brands, reputation, litigation strategies, intellectual property or affiliates. These terminations should only be done after careful planning and coordination. Planning is the key to terminating any person in a sensitive position, but particularly when that person has the potential to cause significant business disruption.

Copyright 2008, INA, All Rights Reserved Page 1

The importance of data in any business cannot be understated. Many companies spend vast resources toward protecting their internal networks from outside threats such as hackers and malicious e-mail attachments; however, most companies never apply the same scrutiny toward internal risks and appropriate controls.

Process Overview One suggested framework to prepare for and conduct the termination consists of the following nine steps: 1. Access Analysis. In this analysis, determine how the employee gains physical access and electronic access to his work environment, systems, accounts, vendors, online data and backup data. Some of the things to consider in the access analysis include: • How does the employee gain physical access to his work environment (access card, keys, ID card, safe combinations) • For which systems, accounts and vendors (including e-mail and Web site hosting) is the employee a point of contact or administrator? • How does the employee access these systems, accounts and vendors at work? • How does the employee access them outside of work? • What security controls (i.e. audits, logging, etc.) are in place to identify and document network access? Who has access to change or remove these controls? • What measures should be implemented to eliminate or deny access before the employee is terminated? After the employee is terminated? • Is there a reasonable, plausible or fabricated reason to temporarily deny access to the computer network just prior to the termination (i.e. a staff meeting) that would allow more time for the network to be disabled? 2. Motive Analysis. In this analysis, determine what motives the employee may have to engage in actions that are detrimental to the business. It is estimated that 90% of conflicts are based upon past experiences. At a minimum, it is recommended that the employee’s personnel file is reviewed for the following: • What have been the sources of present or prior conflicts for the employee i.e. co-workers, lack of promotions, compensation, company policies, vendors, etc.? • Does the employee have a history of domestic violence? • Has the employee threatened to engage in destructive behavior or made any threats? • Has the employee signed a confidentiality agreement? • Has the employee signed a non-compete agreement? • Has the employee indicated that he or she is seeking other employment, employment with a competitor or self-employment? • What sensitive documentation or files might the employee already have in his possession?

Page 2

3. Opportunity Analysis. Evaluate the access and motive analyses to determine what opportunities are present for the employee to harm the business, including disclosure of: private information about employees, financial records, marketing strategies, R&D programs, litigation strategies, intellectual property or pricing strategy. Consider the following issues: • Based upon the access and motive analyses, identify the anticipated opportunities for business impacts. • Is this person responsible for backing up the network data? If so, where are the backup data tapes? Do you have control of a complete set of backup data files? • What other systems does the person control (i.e. phone system, website development, VoIP, cell phones, etc.)? 4. Develop a Mitigation Plan. Develop a strategy that will mitigate the risks identified through the access, motive and opportunity analyses. Develop a plan which will mitigate business impacts before, during and after the termination. Consider the following when developing a mitigation plan: • How will access to resources be controlled? • Will it be necessary to take down the network? If so, how disruptive will that be to office workflow? • How will this person’s remote access to the network be terminated? • How will company resources such as laptop computers and PDAs as well as other company property that may be at this person’s residence be returned? • Will additional security be needed on-site? • What outside vendors or consultants will be needed to regain control of the network? • How can you ensure confidentiality and prevent a breach of information? • If necessary, how will you bring about changing all employee passwords? • Who will change administrative passwords? • Who will communicate with any vendors or customers who have administrative access to your network? • Can you trust that internal communications and e-mail is secure and not compromised by the IT employee? • Are there others with sympathies to the individual who may voluntarily or unwittingly compromise information or security? • Who has the relationship with third party vendors? It may be difficult to terminate someone’s access without their cooperation in some cases. Sometimes a board of directors’ resolution may be required. 5. Develop a Termination Plan. Develop a coordinated plan that identifies each step and the person(s) involved to conduct the preparation, execution and posttermination activities. The location and timing of the termination, how the employee is terminated and by whom, and the employee’s departure from the facility are critical execution activities. Consideration should be given to hiring outside security, if necessary. Security after the termination, including key executive’s or employees’ homes, may become necessary if the individual shows violent tendencies. Page 3

Develop a plan which will mitigate business impacts before, during and after the termination.

Other considerations should include who will clean out the subject’s office and who will be the subject’s future point of contact. Specific IT related issues to be addressed include: • How will keys, access cards, company ID and passwords be collected? • How will administrative accesses to the IT network be shut off? • How will remote access into the network be handled? • How will the system be audited? • Should you hire an outside consultant? • How will you recover company property at the person’s residence? Careful consideration should be given to the location where the termination is to be conducted. It should be conducted with privacy and safety in mind. Never terminate the person in his office. Consider a room that is not isolated but does not make the employee take the “Walk of Shame” after being terminated. Consider whether or not an off-site termination is practical. Security should be nearby but not in the room when the termination is conducted, unless the person has shown extreme signs of aggression. Always have two employees in the room when effecting the termination. One of the terminating employees should do most of the talking while the other remains quiet and takes detailed notes. These notes should include any hostile or threatening comments made. Though outside the scope of this paper, additional resources and expertise, such as the principles applied in the Management of Aggressive Behavior (MOAB®)2 , should be considered. 6. Conduct the Termination. Do not let the termination process drag on. End it as efficiently and quickly as possible. Make sure everyone involved in the termination process knows exactly what is expected of them. As soon as the employee is called in to be terminated, the termination plan should be implemented. The IT network administrative passwords should be changed and e-mail privileges should be immediately disabled. Keep in mind that revoking certain privileges, such as e-mail, too soon could alert the employee to their pending termination. Once the employee is terminated, he or she must not be allowed to return to their work station. This prevents any potential last-minute sabotage from taking place or any outbursts which could be disruptive to the remaining workforce. One of following methods should be used for retrieving the individual’s personal items: a.Have someone gather the terminated employee’s critical personal items (such as keys, a coat, or purse). Instruct the employee that the remainder of their items will be boxed up and made available the following day; or b.Have the terminated employee wait in the room where the termination took place while someone packs up and delivers their items to them. The employee should not be left alone.

Page 4

Do not forget to ask the terminated employee for all passwords to the network. In the termination letter, instruct the subject that they are no longer authorized to access any part of the computer network or to contact any third party vendors on behalf of the company. 7. Conduct Post-Termination Activities. These are identified in the termination plan, but additional activities may be identified during the termination process. The fired employee may have been disgruntled enough to setup some type of device on the network, such as a “packet sniffer”, that could endanger company data. These devices should be searched for and immediately removed from the network if found. Even though physical access may be denied to the former employee, they may attempt to break-in through other means. This may include attacking the network security in place. Conduct regular readings of firewall logs to identify attempted intrusion by the fired employee. In order to mitigate business impacts after termination, it is wise to seize and store away any computer or device used by the former employee. An exact copy of the individual’s data may become necessary if litigation is initiated at a future time. If any of the seized items are business critical, it is recommended that you make a backup copy of all the data stored on these devices so that the device may be returned to normal use. You may wish to conduct a computer forensic in order to follow proper protocols to preserve electronic media for future litigation purposes. 8. Manage Unfolding Crises. Plans rarely execute as designed. Ensure that the company’s crisis management, disaster recovery and business continuity plans are up-to-date in the event that a crisis unfolds. It is impossible to account and prepare for every conceivable malicious act that may occur. However, if the business has current and well-constructed crisis management, disaster recovery and business continuity plans, then unanticipated crises may be successfully managed. While it may not be possible to have these plans properly updated before the termination, they may be updated afterwards to better manage future crises. 9. Re-Establish Proper IT Controls. It is important to conduct a post-termination assessment, which should include the identification of any improper or inadequate IT security controls. Ensure that a follow-up plan is developed and executed to implement the appropriate controls. Be sure to capture the IT controls that were absent, weak or improperly instituted as the termination plan was developed and executed. Once the termination is completed, the deficiencies should be corrected so that they are properly mitigated in the future. A full audit of internal IT controls and processes may also be prudent. There are many good resources available to assist in developing this type of audit, including Val Thiagarajan’s Information Security Management Audit Checklist available at the SANS Institute4.

Page 5

Conclusion Most companies take great efforts to safeguard their data from outside attacks while being more casual about internal IT controls. To most corporate executives, their IT infrastructure is often surrounded in mystery and is something that “only the IT guy knows”. This unwillingness to be involved in IT safeguards can leave a company vulnerable to being held hostage by its IT personnel. There are two fundamental privileges that apply when granting access to employees: separation of duties and least privilege3. All employees, including IT personnel, should be provided the minimum access privileges required to complete their job responsibilities. Rather than relying solely upon strong oversight, extensive background investigations, and perceived trustworthiness, the company executives should ensure that system administration is segregated and redundant. An ounce of prevention is worth a pound of cure. It is strongly recommended that management consider the following basic IT controls: • Maintain tight control of remote access. • Management approves administrative access to key systems. • Create a documented, practiced, auditable, process to grant and revoke all administrative systems access. Note: shared administrative passwords are not changeable on short notice. • Provide access for management outside of the IT department to all IT documentation including diagrams of the IT network and all passwords. • Establish relationship for management outside of the IT department with key IT vendors, at least an up-to-date list of contacts. • Maintain tight control of anti-virus software. • Uphold tight control of software licensing. • Create a policy that controls vendor access to systems. • IT auditing can help put necessary controls in place, but outside of very large companies is it virtually non-existent. Consider having an outside IT security consultant come in to conduct an audit. The termination of a key IT employee or vendor should not be taken lightly or without prior strategic planning. Consider using an outside company to objectively assist in the process.

Page 6

About the Author: John Sancenito is the Vice President of INA, an investigative, security and protective consulting company that provides a broad range of services to reduce risks, solve problems and gain results. INA specializes in corporate investigations, hostile terminations and computer forensics. He has more than 12 years of law enforcement experience and is a former County Detective with the Cumberland County Pennsylvania District Attorney’s Office. He can be reached at [email protected] or 800-443-0824.

References 1Keeney, Michelle, J.D., Ph.D. et

al, “Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors”, Carnegie Mellon Software Engineering Institute, May 2005, p. 3. (http://www.secretservice.gov/ntac/its_report_050516.pdf) 2MOAB® Training

International, Inc., PO Box 460, Kulpsville, PA 19443 USA (http://www.moabtraining.com/) 3NIST Technology Administration, U.S. Department

of Commerce, Special Publication 800-12, “An Introduction to Computer Security: The NIST Handbook”, pp. 109-110. (http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf) 4 Thiagarajan, Val, Information

Security Management, BS ISO/ IEC 17799:2005 SANS Audit Check List, last updated May 3, 2006. (http://www.sans.org/score/checklists/ISO_17799_2005.pdf)

Additional Resources Carnegie Mellon CyLab Management and Education of the Risk of Insider Threat (MERIT) http://www.cylab.cmu.edu/default.aspx?id=2013 Computer Emergency Response Team (CERT) Insider Threat Research http://www.cert.org/insider_threat/ National Institute of Standards and Technology (NIST) Computer Security Division Computer Security Resource Center http://csrc.nist.gov/ NIST Special Publication 800-14, “Generally Accepted Principles and Practices for Securing Information Technology Systems” http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf

Page 7