Web Informant #262, 11 September 2001:
More tips before you fire someone

http://www.strom.com/awards/262.html

Recently, I wrote on the problems of downsizing and "layoff rage." I asked my friend and security consultant Fred Avolio to look at this problem from a computer and network security angle, and suggest some safeguards. Be forewarned: there is no magic; it is not easy. Take it away, Fred.

It looks like the problem is with the angry or otherwise unhappy (perhaps ex-) employee. And so we might do everything we can to handle the expected results of forced termination. If we can't satisfy or mollify him, we shut down access to computers, we watch the terminated closely as he packs up his boxes up (both good ideas), or we unceremoniously escort him to the nearest door (probably not the best). We make sure there is little chance of the newly disenfranchised from setting a logic bomb, destroying data, or otherwise showing his "layoff rage."

Some of these are wise precautions, but they often come too late. Employees may have already gotten wind of the planned job action and already taken their own action. Further, angry ex-employees have attacked corporate networks from the outside, sometimes vandalizing web sites. Also, unless we plan and have some basic tools to help, we're almost sure to leave some gate unlocked.

Years ago, a friend left the employ of Digital Equipment Corporation (back then they were the second largest computer vendor). Months later, he was still able to connect to the company's internal network, log into his still-active account on various UNIX servers, and otherwise wander around the entire corporate net. He was not disgruntled at all, merely curious. What went wrong? Someone in HR forgot to tell the IT group. And the IT group did not control all of the computers on the network anyway.

It all boils down to the more basic problem of access control. Or should I say "the lack of access control," to systems, networks, databases, etc. Yes, yes, of course we have access control to our networks and systems. It's just not very good. Or not documented. Let me make some suggestions.

First, do a survey of systems and users on your network. If you are in a large company, this is going to be a major effort. (I fought back the urge to write "nightmare", as I don't want to scare you off.) But the larger the company, the more critical this is.

Second, start tightening up system and user access on your network. In a recent column, I wrote the following about loose access control: "Inside, we often treat everyone ... as trusted. ... This problem is one of granularity in access control. With insufficient granularity, access control is broken down into perhaps 3 areas: outsiders (they don't get access), insiders (they get access to user accessible files), and special users, such as system administrators. With more granular access control, ... individuals are granted access to only what they need to access."

Third, grab some software to help you out. An interesting product to check out is "Hark!" from Camelot, Ltd. (Disclosure: I once wrote a column for their newsletter. I have no other affiliation.) Using network-based agents (monitors) it first helps you observe access control, and then to make it into an access control policy -- tightening things up, as I suggest.

Finally, establish some corporate policy statements, along these lines:

  1. No computer system may connect to the corporate network without being approved and administered by corporate IT.
  2. No user account may be added to a computer system connected to the corporate network by anyone outside of the IT staff.
  3. Corporate IT will not create any user account on any system (be it router, PC, e-mail server, access server, or any other computer) without notification from the HR department that the user is an employee on record.
  4. Network node and user account creation and deletion will be logged and tracked by the IT.
  5. Except for emergency actions, no employee will be terminated before HR has notified the IT department of the intention and the date, and the IT department has acknowledged.
  6. The corporate auditors will audit compliance to these policies.

There are no shortcuts. And I warned you it wouldn't be easy. You suspected that already. But, as tedious as this starts to sound, and as involved it will be for those in a very large organization, the process is not very complex. Think about this. There is no more complexity in this for a 10,000 employee, 12,000-node network, than in that of a 10- person company. There's more to do and lots more to catalogue. Yet, the tasks are the same for the large company, as for the small. They will have to be repeated more often. You'll wish someone had done it right long ago, when there were fewer people and things to consider. It's always harder to correct the situation than to do it right the first time. But once you do correct it -- if you remain diligent and stay the course -- you'll be in a much better situation in the future. Even if the economy and management's bad planning require that you let a few people go. And remember what Winston Churchill said: "When you have to kill a man, it costs nothing to be polite."

Self-promotions dep't

Thanks Fred. I hope many of you take his advice. Those of you who have access to TechTV can watch me as one of the guests on Silicon Spin, broadcast live at 8:30 pm Eastern and repeated on tape at other times this evening. I will be talking about home networking issues and mentioning my upcoming Osborne book (which should be out within the next month) on that topic.

To subscribe, send a blank email to
informant-subscribe@pez.oreillynet.com

To be removed from this list, send a blank email to
informant-unsubscribe@pez.oreillynet.com

David Strom
david@strom.com
+1 (516) 944-3407
back issues
entire contents copyright 2001 by David Strom, Inc.
Web Informant is ® registered trademark with the U.S. Patent and Trademark Office.
ISSN #1524-6353 registered with U.S. Library of Congress.