By Jon Espenschied
October 01, 2007
After my first day with a client on the regional fringe of Iraq, I was
happy to find a room with decent air conditioning and an Internet
connection. Then I started looking around.
My first clue something was amiss with my hotel should have been the
double concrete barricade at the street, the metal detectors at every
door and the airport-style X-ray machine. But what clinched it was the
swagger of tank-top-and-fatigue-wearing American men smoking in the
lobby, each with a semiautomatic pistol jammed down his waistband or the
overt machismo of a dangling combat knife.
The concierge explained I'd wandered into an R&R hotel for Blackwater
USA, which recently had been in the news for its mercenaries'
involvement in a string of violent deaths and allegations of weapons
smuggling. (Blackwater refers to itself as a "private military company,"
but now that Iraq is nominally self-governing, supplying personnel and
engaging in combat there is mercenary business according to Article 47.c
of the Geneva Conventions.)
Watching how influential or powerful people act in their off-hours can
be telling, especially in high-stress situations. After witnessing
Blackwater personnel engaging in unprofessional behavior such as doing
burnouts in a jacked-up Escalade, brandishing weapons, and spewing loose
talk about company business (not to mention public consumption of
alcohol in an Islamic locale), none of this news is even slightly
Five steps to find them
It's tough to find effective and ethical people to fill positions of
influence or power. Whether the role is that of security guard for a
convoy out of the Green Zone or security administrator for critical
systems, missteps can directly lead to the death of innocent people, and
intentional abuse is the stuff of nightmares.
Worse, it's the people who really want power and influence who are most
likely to mishandle it. I don't have a line on ways to see into other
people's minds and evaluate their current and future ethical capacity
and personal risk factors, but here are a few steps you can take to spot
an internal danger before too much damage is done.
(Note: Laws and social norms regarding termination vary widely, so the
involvement of an attorney is key to making sure any termination process
is handled reasonably and lawfully. These opinions are not legal advice
and may contain information that is improper for your locale.)
1. Set clear goals.
Drop authority into idle hands and corruption from power happens fast.
Termination is an easy decision when someone simply doesn't have the
professional or ethical rectitude to handle a job. The solution is to
make sure employees have clear goals for their initial work, let them
prove they can handle it, and then slowly add responsibility and
authority. With good references and recommendations that speak to a
person's ethical behavior and professionalism -- not just technical
ability and certifications -- it also becomes reasonably safe to hire
directly into positions of significant responsibility.
Clear goals should include to plans for roles and advancement, not just
job tasks. If the opportunity presents itself, a technical staffer in an
otherwise thankless help desk role can be given a career path to systems
and network support or development, thereby reducing the risk of idle
hands with authority over others' organizational identity and data.
(This has the nice side effect of reducing overall turnover even as the
help desk loses people to advancement.)
2. Set clear prohibitions.
Tell your security administrators and other influential tech people
where the boundaries lie in terms of behavior, and explain the
consequential impact -- including the potential damage -- that security
controls have on business processes. The people at the International
Policy Governance Association like to think they invented the negative
directive, but there's a good idea at the core of the advice they give
to corporate boards.
The IPGA's FAQ says that board directors ought to make "decisions and
actions only in a proscriptive way." Proscribing, limiting or
constraining certain actions and behaviors, "makes possible all other
actions and behaviors [and] gives staff maximum freedom in creating
actions to achieve the ends, while avoiding what is not acceptable even
if it works. "
For example, implementing strict network authentication rules that block
access by field doctors to telemedicine video feeds after two mistyped
password entries may not be the best balance of security vs.
functionality. Likewise, aggregation of large amounts of financial data
may be required for regulatory compliance, even if privacy advocates
fret over the risk. Just as military contractors ought not shoot
randomly at crowds when someone cracks their bubblegum, enterprise
network administrators should know it's (usually) not OK to implement
active network defenses that launch attacks on other organizations when
an intrusion attempt is detected.
3. Check the work results.
Measure the outcome of work processes. Don't take a security staffer's
word about whether goals have been met, methods are actually being
followed, or improvements made. "You and your assets are safe" can mean
someone ticked items off a control list rather than considering new and
emerging threats. "Don't worry about it" means you should.
Work metrics from information security staff ought to be relative to
experience, and ongoing activities ought to be guided by predictions of
future risk. Ask for results to be described in comparison to a similar
time period (e.g. "security events this month compared to the same month
last year") or a similar organization or site if no firm metric is
available (e.g., the number of breaches or intrusions for a competitor's
It's also worthwhile to check out what else they are doing if some
activities are not on the agenda. Are side projects a sign of initiative
or ulterior motives? Just as the alleged smuggling of weapons may turn
out to be Blackwater contractors quietly backfilling equipment the that
is in short supply for U.S. soldiers, the routing equipment missing from
one corporate project may be serving to shore up security for another.
Or someone may be lining their pockets when no one is looking.
4. Go and watch how they work.
It's common to see a degree of aloof behavior from technical or tactical
staff -- a combination of pride in skills and a geek's stereotypical
lack of social grace. Outright arrogance or lack of respect for one's
customers, on the other hand, is a serious warning sign.
Traffic police officer Ali Khalaf described a startling pattern of
behavior just moments before Blackwater contractors opened fire and
killed 10 civilians last week: "As they often do, guards from the U.S.
firm -- the largest private security operators in Iraq -- hurled water
bottles at cars to stop traffic as they drove through." Regularly
throwing your drink at someone implies a certain lack of respect.
If they don't have respect for end users themselves, security staffers
likely have no respect for the work those users do or for their assets,
whether information or infrastructure. Security tasks of import are then
indistinguishable from a game in which the player has no risk, and the
outcome is predictable. Do help desk staffers insult inexperienced
users? Are trouble tickets delayed to teach people a lesson? Do
developers delete security requirements from test criteria? As TJX
painfully learned, today's small arrogant behaviors turn into tomorrow's
security disaster and the next day's ongoing or irrecoverable loss.
5. Sit back and listen.
Sometimes the worst offenders just can't keep their mouths shut. By
listening and looking, one can hear the warning signs coming from
co-workers, other managers and even competitors. With employees using
their own names or bragging about exploits at a named company, it only
takes a few Google searches to uncover enlightening information.
Personal blogs, MySpace pages, YouTube and even venerable Usenet groups
tell stories of past or impending misbehavior.
Not every inappropriate public venting of personal frustration indicates
that a Jon Paul Oson-style meltdown is in the offing. Sometimes an
apparent attempt at career suicide is just a singular cry for help, not
a pattern of risk that warrants termination. However, assertions about
"pulling the trigger" or "I could do x" are huge, blinking warning
signs. Tales in the past tense ought to be verified and pursued
Five steps to fire them
So you find warning signs from a security staffer that constitute
unacceptable risk, evidence of negligence or much, much worse. He needs
to be fired, and he needs it bad. Yet most managerial resources only
cover the process of termination from the decision through the
"cardboard box commute" out the front door.
Little is said about handling people with significant administrative
access, or the uncomfortable and unfortunately common problem of contact
after termination. Here are a couple of steps to consider before and
after the usual human resources blather about hostile terminations.
1. Safety and asset protection.
As Shaggy says when things get out of hand, "First thing you gotta @%$#
do is do not move!" Preservation of life and safety has to be primary,
but too much doing and not enough thinking will turn a bad situation
into a disaster. If the person about to lose his job poses an immediate
physical danger to others, involve law enforcement before doing anything
else. If he poses a danger to himself, either law enforcement or
involuntary psychiatric care help may give you a little time to assess
how his condition affects you.
Taking a step back, it's important to consider secondary risk to life
and limb. System operators for civil infrastructure may cause traffic
jams, contamination or resource contention in a fit of anger that
results in injury or worse to a far-removed third party. A vengeful
database administrator for a pharmaceutical supply house may slip a bit
that isn't evident until someone's grandfather gets the wrong
prescription in the mail two weeks later.
Turn off their access or remove their rights to dangerous systems.
Remove their rights to create or delegate to other identities. Look for
alternate or shared accounts, and turn those off too. Don't accept
waffling from other administrators about unchangeable passwords for
shared accounts or other back doors; there's no better lever than
imminent civil or criminal liability when it's time to demand change or
pull the plug.
2. Check yourself.
When the immediate risk level settles down, take another step back to
make sure all of the administrative ducks are in a row. Did the person
have clear duties and limitations? Did he know the policies and
applicable laws? Are all issues involved in the separation -- from
background checks and training to evaluations and evidence -- formally
documented and available?
Take a moment to ponder how the termination will go. The core process is
pretty rote, but what tangents or mistakes may arise? Are there projects
that will need to be picked up? Were duties properly separated and
rotated, or does the individual have unique access or knowledge? It's
not helpful to handle the termination smoothly only to see something
later fall flat in your ongoing security and operations.
3. The usual.
There are innumerable sources of support for the process of terminating
people in an ethical, legal and humane way. Beyond advice from human
resources and legal experts, I often suggest that it's a good idea not
to delete application, system or directory user IDs. If there is any
practical way to remove all rights but keep the identity and activity
record, the person's accounts should be deactivated or archived but not
This runs contrary to common technology-focused security wisdom, but the
continuity of identity and activity logging is becoming increasingly
important in industries including financial services, health care and
defense. Organizations occasionally hire people back after a layoff, or
a fired person may go to work for a business partner with access to the
same resources. In these situations it's important to realize that it's
one person -- at an account and log level -- and deletion of accounts
may prevent that correlation.
4. Involve peers.
Every human resources book says it's undignified and legally risky to
talk about an impending termination. However, the practical reality is
that when the person being terminated is a security administrator or
technical security officer, one or more of his peers must know about the
situation. At a minimum, someone has to take over the operational and
security duties before the termination takes place.
With proper separation of duties and rotation, it may be necessary to
involve multiple people to handle operations, access control, monitoring
of activities, and auditing of the overall handover. In some cases, it
may even be necessary to involve someone whose sole duty is to watch for
signs of collusion between the person being terminated and his heir
apparent. I'll turn this advice around: If you're a security
administrator or CISO and find your peer or a small number of
subordinates took over your duties and logged your activities, don't
hold it against them. Security people get fired differently. Don't make
a fuss or take it personally; this is just how it happens.
5. Follow up.
People need work, and it's a mistake to think they disappear after being
fired. The worst security blowhards and fat-fingering ne'er-do-wells I
know are still gainfully employed in the industry, some even work the
consulting and speaking circuits. On one hand, it's proper just to
decline references (other than role and dates of employment) rather than
badmouthing them. On the other hand, abstaining from comment while a
disaster repeats itself on someone else's turf does no one any good.
I say talk. Be careful with your words, don't exaggerate, don't make
predictive statements, don't launch into ad hominem attacks, but talk.
Do it off the record if you must -- verbally, over a drink, in the
hallway at a conference. What else are birds-of-a-feather sessions
Consider that people learn from their own mistakes and that one
organization's spectacular flop may become someone else's wise, contrite
and diligent worker. But if an administrator or ISO swaggered and
stomped through your world with a powder keg in his head and reached the
point where he had to be fired, give enough information to the community
so that people know that his reputation reflects reality.
Jon Espenschied has been at play in the security industry for enough
years to become enthusiastic, blas, cynical, jaded, content and
enthusiastic again. He manages information governance reform for a
refugee aid organization and continues to have his advice ignored by
CEOs, auditors and sysadmins alike.
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com