Amy had that sinking feeling in the pit of her stomach.  Like most CFOs, Amy (names changed to protect privacy) had a keen sense for observing behavioral changes in her staff.  When her Information Technology (IT) director started to display the telltale warning signs of workplace discontent, Amy knew that something was wrong.  “At first it was just harmless complaining, but over time, it was clear that Bart was pretty unhappy,” says Amy.  She adds, “When Bart abruptly resigned with just three days notice, I quickly realized how vulnerable our company was to the departure of an IT director.  Bart had all the keys to the kingdom.”

By definition, key IT employees are entrusted with a high level of responsibility and authority.  With administrative system rights, a trusted user can have access to read and/or modify any file on any system.  This includes payroll information, e-mails, trade secrets and other sensitive information.  If a key IT employee suddenly leaves the company, will you be prepared to pick up the pieces?  Even worse, if the departure is hostile, how will you protect your company from malicious IT attacks?

As IT systems have become pervasive around the world, companies now find themselves more dependent upon technology.  The byproduct of this dependence is a critical reliance upon the IT personnel who manage and maintain the infrastructure.  This means that a disgruntled IT employee has the potential to cause harm far beyond that of a typical worker. 

Revenge of the Nerds

The motivation for IT sabotage can come from a variety of sources.  IT staff may feel under-appreciated, or underpaid, or perhaps just have a score to settle.  In 2002, when Roger Duronio, a system administrator for UBS Wealth Management, learned that he would not be receiving an annual bonus, he set in motion an elaborate plan to get even. 

After quitting his job, Duronio, waited three weeks, then using his knowledge of the network infrastructure, he injected a logic bomb that took down 2,000 servers.  The attack affected 370 branch offices and left 17,000 brokers without system access.  Getting the system back up and running cost the financial services firm over $3 million.  Duronio was sentenced to eight years in prison and ordered to pay restitution.

In 2007, Joseph Nolan, a system administrator for aviation firm Pentastar erased a hard drive containing company payroll and HR information following a disagreement over a severance package.  Unlike simpler times where employee sabotage resulted in office pranks or starting rumors, today’s trusted IT employee can inflict lasting and permanent damage felt across the entire enterprise.  Nolan received a four-year sentence.

Ethics in the Data Center

According to a survey by security website DarkReading.com, nearly one-third of respondents admitted to using system rights to peruse information they were not supposed to access at least once over their careers.  In addition, ten percent revealed that they “abuse their security privileges on a regular basis.” 

When presented with a hypothetical scenario asking what they would do if they found a list of employee names about to be laid off, 23 percent said they would sneak a peek.  Even more disturbing, 8.5 percent indicated that they would not only peek, but they would also share this information with other people in the company.

Nobody wants to believe that their employees would succumb to unethical behavior.  However, the reality is that CFOs have an obligation to be prepared and manage the risk of good employees gone bad.  Effective corporate governance, like the Boy Scout motto, mandates that companies should “be prepared.”  The first step is to develop a Termination Policy for High-Risk IT Employees.

What Could Go Wrong?

While most companies already have a formalized termination policy that governs employee departures, additional steps must be taken for high-risk IT employees.  Beyond the typical procedures of returning of laptops, key cards and other company property, a few extra steps should be included:

1.  Change all passwords.  Upon departure, all passwords known by that employee must be changed, especially administrative and privileged accounts.  In the event of a hostile termination, make sure that administrative passwords are documented and stored in a secure location.  For example, seal administrative passwords in a tamper evident bag (used in evidence collection) in a locked safe.  Secure password storage is essential not only for managing terminations, but also for effective disaster recovery.  If key IT personnel are non-responsive in a natural disaster or crisis situation, having emergency use passwords available is an important part of any business continuity plan.  This is especially important in smaller environments where administrative access may be limited to a single individual.

2.  Update domain name registration records.  Be sure that the terminated employee is removed from your domain name registration contacts.  If this access is not removed, a malicious employee could change your Domain Name Servers (DNS) and cause your website and e-mail to be disabled or redirected.  To check your domain name registration, simply enter your domain name (such as hwcpa.com) in a WHOIS search site, such as http://www.networksolutions.com/whois.

3.  Secure wireless networks.  Wireless networks present a unique risk because an attacker in the parking lot could potentially compromise a network and access resources as if they were plugged into an Ethernet jack inside an office.  If your company uses WEP, WPA-PSK or any encryption method that relies upon static keys, you must be sure to change the keys.  Even if the employee didn’t know the actual key, if it was configured on their laptop, it is possible to recover and decrypt the key from registry settings.  Don’t forget to change the password protecting the access point’s management interface.

4.  Update Vendor Relationships.  Just as you would call a bank and remove somebody from a “signature card”, you must also contact all vendors and third party outsourcing partners to ensure that access has been removed for the terminated employee.  This should include the company’s Internet Service Provider (ISP), website hosting provider, payroll provider, software vendors, maintenance providers and off-site storage providers (where your backup tapes are maintained).  Does your company order office supplies, buy products or process shipments online?  You should change passwords for any websites where a company credit card might be stored.  In addition, don’t forget to review access lists if your company uses any Software as a Service (SaaS) providers, such as online backups, online meeting/collaboration services or CRM software.

5.  Disable remote access.  Make sure to disable any remote access accounts, VPNs or other tools that enable remote access.  While rare in modern IT environments, you may also want to scan for unauthorized modems.

Minimizing the Risk

For Amy, the sudden departure of her IT director meant panic when servers crashed a few days later.  Luckily, the former IT director agreed to come back and perform an emergency recovery.  However, Amy knows that next time she might not be so lucky.  “This time around, I’m having my new IT director write down everything.  You know, just in case he wins the lottery and disappears next week,” she says with a smile. 

Although it’s impossible to prevent every attack, CFOs are not powerless in the battle to reduce the risk posed by terminations of key IT employees.  By developing and implementing policies and procedures for the termination of high-risk IT employees, companies can prevent last minute scrambling and improve the overall security posture of their IT environments.

About the Author

Lee Barken, CPA, CISSP, CISA, CCNA, MCP is the information technology practice leader at Haskell & White LLP (http://www.hwcpa.com/).  Prior to Haskell & White, he worked as an IT consultant and network security specialist for Ernst & Young’s Information Technology Risk Management (ITRM) practice and KPMG’s Risk and Advisory Services (RAS) practice.  Lee writes and speaks on the topics of clean tech, IT audit compliance, enterprise security, wireless LAN technology, and computer forensics.  He is the author of How Secure Is Your Wireless Network? Safeguarding your Wi-Fi LAN (Prentice Hall, 2003), and Wireless Hacking: Projects for Wi-Fi Enthusiasts (Syngress, 2004). You can reach him at 858-350-4215 or lbarken@hwcpa.com.