Slashdot Mirror
Employees Admit They'd Walk Out With Stolen Data If Fired
Gunkerty Jeb writes "In a recent survey of IT managers and executives, nearly half of respondents admitted that if they were fired tomorrow they would walk out with proprietary data such as privileged password lists, company databases, R&D plans and financial reports — even though they know they are not entitled to it. So, it's no surprise that 71 percent believe the insider threat is the priority security concern and poses the most significant business risk. Despite growing awareness of the need to better monitor privileged accounts, only 57 percent say they actively do so. The other 43 percent weren't sure or knew they didn't. And of those that monitored, more than half said they could get around the current controls."
I remember reading long time ago in security 101 best practices to remove employee's network privileges a week before they receive the notice. I also know of a big company which had ITSEC work all weekend to remove and change creds so when workers came to work Monday they found themselves now jobless.
http://www.mafiasecurity.com maf
sad news is that we can only see this survey because some schmuck got fired.
I recall distinctly during my time with a certain F50 company that they would not only refuse to buy any of the secrets, but that they would be the first to call the FBI on you for trying. The last thing they wanted or needed was to have those secrets unearthed years later, potentially costing them billions of dollars.
Now the gray/black market? Maybe... but that's as much of a jail risk as carrying around an open box full of kiddy porn in front of a police station.
If anything, the things I can see IT employees walking out with are software licenses, images (even hardware!) and crap like that - things they would find useful to themselves later on.
Quo usque tandem abutere, Nimbus, patientia nostra?
That's why you should use appropriate encryption policies for you business data!
I honestly don't understand. IT people need to be trusted with very important data. Each time one of these surveys come out they demonstrate that they can't be trusted with data.
As an IT guy, I wouldn't consider for a second walking out with data that's not mine. What the hell is wrong with the rest of you?
What doesn't kill you only delays the inevitable
Solution? Lock them out of their computers the instant the word to fire them is given by the boss.
At a former employer, you would come back from lunch to find your keyboard missing.
I thought that's data protection 101.
thegodmovie.com - watch it
Similarly to all the above ban account, remove keyboard stories. From working weekends at a highstreet clothes store when employees were leaving it is company policy that the employees weren't allowed to use tills for their last day/week. Although given the recent recession and constant staff shortages this is now usually seen as impractical and ignored by the managers supposed to implement it (They also never seemed to actually remove the till accounts of ex-employees within due time).
The solution to "insider theft" is simple:
Don't hire from the bottom of the barrel just to save a buck, and you won't have to fire people.
Treat your employees like valuable assets and not just cogs, and your people won't quit.
Great now we can have more terminations on site for anyone looking for another job or having someone call your boss for a reference. The excuse is a bad worker has access to data. Scared employees who can't leave also will work for less too and be willing to put up with more.
I thought only a few companies did this but it is catching on as IT workers are cost centers who bring little value to the bottom line anyway if you ask HR who makes such abusive policies.
http://saveie6.com/
What happened with just being decent and have some moral??? So, employer, you are firing someone, you strip him of his bonuses, you give the minimum notice, you give him no recommendation letter, no references, actually nothing at all, and you expect your poor, f$%$%$%$ ex-employee to show some decency??? What the frack, eye for eye, tooth for tooth, as simple as that.
Everyone preaches about the insider threat, even though less than 4% of all incidents come from insiders.. If you count by the number of breached records, insiders make up less than 1% of all breached records (though, arguably, they may be breaching records that are more valuable)
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
And FUD.
Really who wants to be liable for anything AFTER a termination.
At my last job it was common practice to take a copy of the source code even if you were just leaving for greener pastures.
I considered it myself - not for the trade secrets or to sell, but because it functioned as a programming reference guide ("How do I do that again? That's right, I did it before in library X"). In the end I took the high road and consoled myself that anything I had figured out before I could figure out again.
When I fire someone, there is a significant amount of planning that goes into it, and the whole process takes about 4 weeks.
When I decide it's time for someone to go, I have HR stage a company-wide reaffirmation of adherence to company policy. Employees are reminded that they are not allowed to bring any company data home on thumb drives (which technically they aren't allowed to bring in from home or leave the office with anyway), personal laptops, phones, and so on. During this initiative, they are asked to bring in any thumb drives they have with company data, and make sure they erase company date from their personal devices. I instruct the IT department to assist any employee who asks for help with locating and purging company data.
We are certain to remind them that this is to protect the company from security issues and corporate theft, reduce legal costs, and so on.
After about a week of that, we install a keystroke logger and screenshot collector on the employees PC, and collect all of their passwords to local resources, databases, servers, and so on. We monitor their computer activity 24/7 to make sure it will be a clean break. This is also useful for creating justification for violations of IT policy, since most employees violate it by using their company-owned computer for personal endeavors (email, non work-related web browsing, etc), which is against IT policy and subject to disciplinary action up to and including termination.
After a week or two of monitoring, I get the ball rolling with HR and IT. I submit the necessary termination documentation to HR, and IT generates a script that instantly locks them out and changes all of their passwords so that they cannot access any company resources.
We usually try to execute a firing when the terminated employee is in a meeting or other place where s/he will not have immediate physical access to items at their desk or lab. I usually just pop my head in the door and say "Hey XYZ, I need your help for a second." We walk back to my office, where HR is waiting with the termination paperwork, while IT removes their laptop from their desk and locks all of their drawers and cabinets.
To communicate the firing, I actually read from a script, because the lawyers are very particular about the language and what is said. Security escorts the employee to their work area and supervises and thoroughly documents any personal effects they take with them. They are not allowed to take any memory devices with them, including those in picture frames, without first having them checked by IT for company information. Picture frames are also disassembled and other items searched as thoroughly as possible.
Terminated employees are also searched/wanded on their way out to ensure they are not hiding things like USB keys or hard drives on their person.
It's an arduous process, but it's my job to protect the company from thieves.
This survey seems (admittedly without having read TFA) to be skewed by the "if fired" clause. Now, I would have thought most admins would have their privileges revoked if they were being sacked, but here's a question:
How many of us, if on the receiving end of unjust treatment, would honestly not at least entertain the fantasy of "getting back" at that company? Be honest, now.
Thought so.
Since the company invests a lot of trust in its sysadmins, it should at least treat them respectfully, since trust has to work both ways.
jobs in accounting making decisions. You know, oh Jeff makes X money but we can hire jackie for X-Y dollars and then fire Jeff. We don't care that Jeff knows the business inside out and Jackie doesn't. We don't care it'll be a year before Jackie comes up to speed and all the evidence says he won't be as good. We'll save a couple bucks now which is good enough. (Even if it screws us in the end.)
Did you know 80 to 90% of the moderators on slashdot wouldn't recognize a troll even if one dragged them under a bridge.
Employees learned that kind of behavior from their managers who learned it from the executives.
What if you were doing work from home and had a couple DVD filled with confidential docs along with a couple other company purchased pieces of software. One day you walk in and find out your job was eliminated, turn in your laptop and Company Credit Card and there is the door.
Would you both giving the DVD's back, trash them, hold onto to them for unknown reasons or publish them for the world? I still have them after a couple years, not even sure why but it feels good to know they'd be very pissed if they knew there were still in my possession.
As someone who has been laid off from a job (and forced to wipe the hard drive of my personal laptop before I could leave the building), and who has had to hire and fire dozens of employees over the last 10 years, I can offer a bit of insight:
10% of your employees would never steal from you. Ever. It wouldn't occur to them to do it.
10% of your employees are determined to steal from you. It's why they applied for the job!
The other 80% are swayed by circumstance and opportunity. If you treat them like crap (when they're employed or when you fire them) or make it clear that you're lax on security (often as simple as not paying attention), they're going to steal from you. Treat them well (as employees and as ex-employees... don't just toss them overboard... give them a severance package... give them a nice letter of recommendation... make some genuine effort to ease this life-altering transition and show them that you care about what happens to them after they leave) and maintain good security practices and you will drastically cut down on the number of people who steal from you.
I RTFA, and the examples it gave were the same as in the summary above. The thing is, were those the ONLY things measured on the actual survey, or were things like source code and shell scripts written by the layoff-ee ALSO included?
I'm sure some will violently disagree, but I can understand somebody wanting to take copies of their own work product to use as future reference material. This does NOT justify the replication of entire programs / trade-secret algorithms at a competing company, obviously -- more along the lines of reusing/adapting individual functions, automation scripts, etc) in code written for unrelated industries.
This is because these companies seem to be getting the opposit results from these tests that are intended. They are weeding out the good, honest, and hard working employees. The only people that can pass these things are liars, cheaters, and BSers. Is that the type of employee they really wan't.
best practice is to kill access before telling them they're canned. But I've seen a lot of businesses that just fire someone without bothering to tell IT to revoke permissions. Sometimes they'll have access for months after being fired.
that said, I don't see why people would go through the system for data. First off most of the data is boring and useless. It's reports and records. The only thing besides possibly source code would be credit card numbers. I have access to that database and could extract literally hundreds of thousands of credit card numbers along with all relevant charge data. Should I have access to that? Someone has to... and that's me.
But I'd never steal like that. I'm the sort of guy you could leave in a room with a billion in cash and come back later to find the same billion in cash untouched. Stupid? Maybe... but I just don't do that.
What I MIGHT do if I were really pissed is sabotage something. These systems are really complicated and it's really easy to screw something up in the core of the spaghetti code so deep that it will take them weeks to sort it out. I wouldn't profit from that and it would leave no trace to me. But as far as revenge goes it's not bad. You say "oh they could back up"... yeah... but what portion of the system needs to be backed up? It's hard to track that down sometimes unless you really understand it.
When you're dealing with big old proprietary databases... they're almost more organic then they are an engineering problem. You have to treat them like a doctor. Touch as little as possible and if you have problems try to help it self heal because if you actually to rewrite that monster it will take years.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
Be very careful when reading these surveys. The wording can be critical, and can mean something different than what the headline is implying. For example:
If you were told that you were going to be fired tomorrow, what, if anything would you take with you?
The answer would have to include things that you already have in your possession. So no malicious intent is required here! For example, 5% responded "R&D plans." That doesn't mean that they would steal R&D plans in response to being fired. It could be that they already had those plans on a flash drive on their key ring, perhaps because they gave a presentation on the topic recently. 8% responded "Privileged password list" which could mean that they keep an encrypted copy of vital passwords in case they need to remote into the servers from home. They might take the "Customer database" because they keep a copy on their laptop in case they are on call and need to contact a customer.
... easy ... the prosecution (civil and criminal) that occurs once they find you with their data. Promise: it will transcend the warm feeling of completely wrecking your former employer.
The problem I have with this is the hypothetical "if you were fired tomorrow" angle on the survey. Why would I be fired tomorrow? For cause? Due to downsizing? A lot of people would feel threatened if they were suddenly fired, especially if they can see their termination as unjustified. This doesn't justify their potential actions, but it really leaves out a lot. How many people, if they were fired tomorrow, would come back with a gun and start shooting people? Probably a lot less. Was that question on the survey?
That is awesome!
Instead of losing a copy of your data when you fire an employee, you lose complete access to your data when you "fire" the cloud provider.
Or when they fire you by jacking up the rates so much that your company profits go to their company.
I love it!
Here's what happened to one person who took "backups" home.
http://www.johnwdowns.com/
His defense was completely inane. He got exactly what he deserved.
You have two competing goals, company security BY the employees, vs company security FROM the employees.
IT are like the cops in town. In order for them to do their job you have to trust them with powers that can be abused. There is no perfect solution to this problem. The best thing you can do if you are a reasonable sized organization is to simply have the power spread out horizontally well, so the watchers can watch each other.
In small businesses, you may have a small IT staff tree that's composed of people that do jobs that have very little overlap, and that makes their position more abusable.
I've seen it work both ways on the way out. I've seen people get 6 weeks of advance notice, and I've personally been handed papers when I arrived in the parking lot. Paranoia varies, just as trust varies. If you're in an "at-will state" you can get the rug pulled out at any time, and many companies do this as a matter of policy. I consider it very double-standardish, that last place my manager told me he expected me to give two weeks notice if I was leaving, but when I asked how much notice he'd give me, well, that's different! IMHO, employers that think that's playing fair deserve zero day notice, and should consider that the tradeoff for having a zero-day notice for their employees.
Considering the present economy, the value of job security has gone up, and I would certainly find a job less attractive if I knew my employer had a "meet you at the door on Monday with a box of your stuff" policy. But what if I were going to be evil? Then I'd say you need to train your HR people to hire people with better character, good references, and thorough background and job-history checks. You need to be able to trust your IT staff, because of the nature of their position, just like the city needs to be able to trust the cops it hires. If you don't hire people you don't trust, you don't have to zero-day bomb them when layoffs are required. Promote from within instead of hiring off the street into positions of trust and power. If a new hire isn't trustworthy, thank him for his time and give him his two weeks and find someone else. Don't burn people that are in a position of power.
You think it's unfair when a semi-key staff walks on you? Try being that staff when he gets to go home and sit on the couch all day waiting for the wife to get off work, trying to figure out how to tell her he's unemployed as of now. It hits the employee a lot harder than it should hit the company. And in any reasonable sized company, no single person walking should be able to do great damage, nothing like your home income dropping 50 (or 100) percent overnight.
I also read from time to time about karma coming back and biting employers that zero-day a key IT. And I'm not talking about the cases where Joe Fired remotes in and makes a mess etc. I mean the "this broke again, oh crap, Joe usually fixes this, what do we do now?" sort of cases. Responsible employees try to prevent this sort of dependency but companies often don't give enough time or resources to accomplish it. (time to document, hours to crosstrain, etc) So you can't just blindly go blaming the employee. And so now you're left with missing key experience, and a burned bridge. I watched that happen twice at one company. They zero-day'd a key person, only to find that he was the best go-to man for certain things, and a company mass-mail went out to NOT call that person for help. (because they had made it clear they were going to charge for every support call they received a result of his departure) So that leaves us all fumbling around for hours at a tim trying to figure things out that a 10 second phonecall could have solved. Wonderful waste of resources, makes us look like bumbling idiots in front of the client, etc. "Why are you here? Where's Joe, he's always the one you send to work on our server? Really? Are you going to be able to fix this? (after a few hrs...) Can't we just call
I work for the Department of Redundancy Department.
In my case, it would be useless, as our "vital assets" are about as useless as they are outdated, bizarre, convoluted, decades old, silly, stupid, retarded, etc.
Shall I go on?
Companies might build TRUST with their employees that they won't get fired at the drop of a hat, and Companies might develop an ecosystem of resilience with their workers, such that everyone feels responsible for the company and vice versa. How? Socialism. Democritise the work place. VOTE for your boss. You wouldn't accept totalitarian political solutions, why do you accept totalitarian economic solutions? If everyone felt like what they did mattered, and felt like their employment was a vital part of their existence (as opposed to something they do to make money) then people wouldn't dream of walking off with data when they get fired, because getting fired would be rare, and a mark of massive failure. CHANGE YOUR WORLD. For the better. it's not that hard. You just have to get off your ass and demand it.
Shoes for Industry. Shoes for the Dead.
a reason to fire them or a reason not to?
how many pairs of boxer shorts should you own?
That's why you don't understand.
The title should read: " MANAGEMENT Admits They'd Walk Out With Stolen Data If Fired"
TFS says they surveyed managers and executives, not rank and file.
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
I was going to say something like Ralph above me but without the socialism. Basically if you treat your employees like they matter and have some degree of human value (that is, personnel, NOT HR, massive Freudian slip there), then people behave like they have a stake in what they do.
I am not just going to agree with the popular view. In other words I have bad Karma.
An ID management provider does a survey designed to promote identity management. Why should I trust them?
it would have been a lot easier to prove wrongful termination when I had the documents that showed the general manager embezzling well over $25,000 per month. But, instead, I didn't have my backup copies at home.
I've learned my lesson. You should too.
Part of the problem is that due to HR policies it is increasingly difficult to hire good people. Why? By law you cannot check prior employers for proper references. You can only ask dates of employment and what their position was. This is how it works in the U.S. anyhow. So the potential employee gives you a list of canned references that they always use and will always say good things about them. Resumes? Those get doctored up sometimes too. Most of the time HR is just scanning applications for key words and such without any real understanding of what it all means. This is especially true for tech jobs. Once the person gets hired there are a whole host of things that you CAN'T fire someone for and a much shorter list of what you CAN fire someone for. Is it any wonder that a few bad apples sneak between the cracks?
...remain friends with my former bosses.
I told them when I was hired I don't take budget cuts personally and if they (literally) needed someone to help tear down the building after closing to give me a call.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
When I was laid off, before I left, I took all sorts of data with me, as well as several electronic gadgets like flash drives. It was really about saying "fuck 'em" on the way out.
In 30 years as a software dev I don't think I've known more than a couple computer geeks who might have the guts to steal data, let alone the personality to locate a buyer, negotiate a price and actually follow through on the deal. Sure we've all seen Office Space and talked trash about what we'd like to do to a company, but at the moment of truth, no way. And managers tend to be even more gutless -- something tells me the survey results were heavily skewed by false bravado.
I very much doubt I'd want or have any need for crm data, financials etc, and on moral grounds wouldn't consider it anyway. However, when it comes to my own knowledge that i've dumped on our wiki (linux tips and tricks, oracle installation/configuration notes, useful sql/scripts etc), hell yes. I've put that content there and use it quite often. If I can't put that kind of things there without being able to take it when I leave, why should I bother putting it there at all.
Even if I felt the company had screwed me, I wouldn't take anything of true value to the company. However, if I thought I could get away with it, I'd grab several of the little libraries and code routines I've written over the years to make my like easier. I'd hate to have to code them from scratch the next time I needed them.
Big company I worked for made sure you worked from home after hours to earn that "salary" .
So we set up dev machines at home and worked via VPN when stuff went down.
End result is you walk in and they terminate your position.You go home and have all the source and all the various passwords that their stupid supervisor insisted on using so he could avoid being locked down by active directory.
Three years later they STILL have not changed the passwords that allow all access to their main SQL servers or Portal.
You trust me with the data as an employee, meaning you pay me to respect the data and the security. So pay me to respect it as part of my severance. Give me incentive not to steal from you what was mine the last time I forfeit my labor for your profit. Cos that data is worth money, there's no other reason to take it. O/c times were people would walk out physical property. Those who couldn't, and wished some sort of righteous justice in exchange for their termination, they would just vandalize or terrorize the company's shit. Burn this, break that, throw out a batch or two of mail... one way or another, a belligerant employee will find a way to screw over the employer upon a random and shitty firing. Best practice: Give notice, and plenty of it. Don't just lock my accounts out and refer me to payroll and accounting after my two hour commute and fire me without notice. Many of you think that's the secure route. But playing with fire... well, it's not usual to advise one to play with fire.
On a serious note you make a wonderful point.
Prior to Hurricane Katrina, I was working in the financial sector as a software architect, using live data feeds to test our systems. On a regular basis and with management's blessings, I was allowed to take home whatever data I wanted to play with or that my project required. I did this for months on end. I usually brought the data home on a USB 1TB drive, but it was too slow for my SQL queries so I copied to my personal SQL server for faster access. When I left them, I forgot about the data, looking forward to my next assignment.
Hurricane Katrina hit and I had 3 feet of water in my house and several trees on the roof. After drying out the house and totally remodeling it, I started researching which of my electronics were lost and which could be salvaged. Among the PCs salvaged, was my SQL server which contained all of the data from my financial firm. I had full credit reports, bank statements,loan applications and the kicker was that I had this data for significantly well ofer 1 million people that had gotten mortgages.
Although I formatted the disk and erased the data, it is impossible to prevent this type of issue from occurring.
"Stealing data" is another way of saying "offsite backup".
The one time I was laid off (knowing it was coming for months - closing an entire facility, plus I got extended a couple times and had turned down an offer to move to Dayton, Ohio), I was working on wrapping up a project up to the very last day. The last parts were documenting, etc. but when I walked out the door I had my personal laptop that I'd been using for some development work and testing.
What did I do with the company information on that laptop? I zipped it all up, burned it to a CD along with an index/directory and notes on what might be of interest in case there was anything like homegrown test tools that wasn't on my main system, and mailed it to them. What did I get for all this? Thanks for being so great about everything, which kind of confused me - they'd offered to keep me on if I was willing to move and I refused, and I wasn't going to screw the people I'd been working with for years.
If you dislike the people you work with enough to screw them when you leave, you're in the wrong place (mentally, physically, whatever) already.
As it turned out, I ended up doing some fairly substantial hourly consulting for a different division of the same company a few years later, and I suspect that had I pouted my way out the door it wouldn't have happened. I didn't end up needing any of my old coworkers as references (jumped into freelance work with some other former employees), but I have no doubt that I'd have been able to get good references with no difficulties.
fencepost
just a little off
There is, believe it or not, another way - it consists in treating your employees as real people, with fairness, respect, dignity and honour. The fact is, you basically get what you ask for; if your whole attitude is that your coworkers are criminals, then for the most part that is exactly what they will choose to be.
I know this from personal experience - at one point I felt ostracised and treated with suspicion and contempt; and I wouldn't have hesitated with stripping the company of all valuables if I had got the chance. Then we got a new manager, who gave a fair chance to prove myself - and now I wouldn't dream of betraying the trust of my workplace. Of course, the problem is finding a manager who has the integrity and the guts.
Until they're fired? I have proprietary data my companies IT department LOST in a drive crash due to incompetence. Due to the incoherent nature of their incompetence at storing 'IP' in a central location and protecting it I've amassed all of their IP. I will happily fuck them up the ass and sell it. In several cases it's not patented since someone else holds a patent and it would expose them to risk. ;)
Your employer should always be the one that gets fucked for terminating your employment for any reason. Live by that and sweep that offal into the dustbin of history. If you're not darwining evil you should be darwin'ed
In the event of getting screwed over I always saw my departure as being more like this http://youtu.be/bhAcPUzsgXQ
Be gone from my sight or prepare to feel my flaming wraith!
Let me just make a bold guess here... The company that sponsored the study offers solutions to his problem, right?
"It's too bad that stupidity isn't painful." - Anton LaVey
... They are not "insiders" any more. You could call it "previously-insiders" threat.
What about coupling HR bonuses to the performance of the people they hired?
A more common occurance is: you know, oh Jeff makes X money, but my friend Jackie is looking for a job that pays X, let's just hire Jackie, make Jeff train Jackie and then fire Jeff, it will only cost us Y dollars to pay both of them for a short period of time then I'll be able to work with my friend Jackie. Too bad about Jeff, but we can't afford two people. Hopefully he'll get the message and start looking for a new job right away...
So it is clear, we cannot trust the managers and executives. This only shows that we should have as little of them as possible and limit their access to sensitive info as much as possible.
Also explains the firing policy that you hear about in a lot of American companies: "Ill-doers are ill-deemers".
The Dutch will inherit the earth. If not, we'll settle for a bit of ocean. Beta delenda est!
That's a sure sign of a poorly run company. My current employer is exactly the opposite, we have an enterprise risk committee and one of the risks they identified is the retention of key IT personnel. I've had offers for more money but all of them came with worse working environments where I wouldn't be as valued and so at least until the global economy starts taking off again there's no way I'm going anywhere.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Treat human beings decently, and bad things will not happen. If you have to fire someone, do it gently and signal that you want to part friendly and give them a decent severance pay without a fight.
That's why in Europe you cannot be kicked out literally on the next day.
HR performance is coupled to how many people they get fired, not how many they hire. I thought everyone knew that. HR is there to facilitate company savings, heading off the costly, over-qualified people before they get to be interviewed by the departments which need them.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Only 57 percent say they actively do so. The other 43 percent weren't sure or knew they didn't.
I really love club dresses ,
And there in lies the problem. If I develop code, on my own time, that I reuse at the workplace, whose code is it?
Yours, but only if you take proper steps to make sure that they know it is yours. I would suggest offering the code to the company to use in perpetuity for the golden license fee of $.01 if you really have some re-usable code you want to give them. They won't balk at the price, and you can whip out a simple little contract that says you own the code but they can do whatever they like with it internally. Then there is never a legal question over who created it later.
HA! I just wasted some of your bandwidth with a frivolous sig!
If you setup monitoring, who controls it?
If you setup logging, who admins the systems and has sufficient access to bypass the logging?
What about people with physical access?
A lot of these logging schemes are very naive, for instance a web application that logs all the data you access "through the web interface", but it does nothing for someone who gets access to the data at the database or filesystem level, and the same people who have access to the db/fs level also have access to the logs anyway so could easily modify them.
Also 99% of company networks are based on the classic design, extremely insecure internally with a firewall to hide the insecure mess from the internet... If you're inside, even if you have no network privileges whatsoever you can usually gain access to anything you want in a few minutes given appropriate knowledge. I have done countless pentests where all you get given is an ethernet port, and within an hour we have access to everything (start with domain admin which is easy to get, and anything thats not connected to the windows domain you just keylog the admin workstations which usually are on the domain)... I have yet to pentest a company where it wasn't possible to do this in short order.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
I always keep backups of databases, source code, documentation, everything I needed on the job, so that when I'm inevitably called back at twice the price, I have it on hand to fix things up.
Nine out of ten of you fucktards are totally incompetent, so there is a 91% chance that my replacement is going to fuck everything up, and I'm going to get that phone call. When that happens, it's invaluable to have all those backups and company data.
Actually, the more I think about it, it is more like 99 out of 100 IT workers are totally incompetent.
"I remember reading long time ago in security 101 best practices to remove employee's network privileges a week before they receive the notice" ..
...
What company was this that actually gave the employees a weeks notice, instead of marching them out the door on a Friday at 5:00pm
I worked for a place where I got fired. The company tried to screw me out of my last paycheck (In Illinois where this is legal).
Fortunately, my computer was password locked and encrypted, once they figured out they couldn't access any of my files I told them once I get my paycheck I'll provide the password. It worked.
It is funny how people require CEOs, politicans, etc. act accordingly to "all known moral codex", but in same time they are ready to act wrongly, trying to justify because they were badly treatened. Sorry guys, you can't have a cake and eat it too. It's either way - you keep your morale high, even when fired, or you stop complaining how every human on Earth acts on their survival impulses and ignore "social agreement".
Sysadmins and IT managers have huge power. Acting irresponsible in this way not only can land you in jail, but destroy any hope for career you could have. If it was bad working place and you got fired - fine, you did your best, but it wasn't meant to be, hating your former employee will make you feel sick and nothing more, just steam off your anger and be gone. If it was good - don't ruin your memories and memories of others about you. Yeah, maybe management sucked, but your colegues didn't. Maybe they will return a favor of just being nice to them later.
Moral codex is not something artificial. It is basic rules of proper survival. You do good, people will return the favor. Not all of them, no. Someone will try to screw you. But in overall, you will better off being nice person and trying to destroy former working place.
user@ubuntubox:~$ stfu This server is going down for shutdown NOW!
How many CEOs pay themselves with company money? 99.9%
Treat CEOs the same way they'll treat you and treat them that way first.
Squeeze them for every penny and then leave them stranded.
I was asked what I considered the most dangerous threat to the security of data. I looked at the person (there were 3) and told them your internal people are the most dangerous threat to your information.
Judging by the look on their faces, that wasn't the answer they wanted to hear.
Just goes to show, people don't want to hear the truth.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
If I were fired, I'd be left with some confidential information at home and possibly on me. It would not be intentional as my only reason for having that data is to do work. It's one of the risks involved when the company makes one work overtime/unscheduled work, has poor time management for projects, and treats the Security Office like a fiefdom.
If there was a Security Administrator's Oath, I hope the first line would be "I will try my best to get the rest of the staff on my side". Don't give honest employees a rationale for opening security holes (of course, have standards). After that, you can work on not giving them an opportunity to open holes.
I had a job in Comcast's engineering group. After I got fired, as I"m on my way home, they were asking me for my password because a process was running under my account. Needless to say, I didn't share.
As I was being shown the door, they wouldn't even allow me to cancel my gym membership. I had a security guard with me at all times. I told them "if I wanted to sabotage things, I would have done that by now." Needless to say, they didn't find that amusing.
But id be damned if i would take any effort to prevent it if i was canned. Screw 'em..
---- Booth was a patriot ----
One side effect of this widespread willingness of employees to engage in theft/sabotage when fired is that it tars innocent employees with the same brush. I was once fired for finally standing up to my boss when she made yet another unreasonable demand of me. There was a security breach a couple weeks later, and I was immediately accused of it (despite the fact that I hadn't even had admin access to the system that got cracked), with the FBI sent to my home, demanding access to my personal systems and encouraging me to confess. It was literally adding insult (to my integrity) upon injury (to my career). I couldn't prove my innocence (which is impossible of course), but I managed to demonstrate that they had no evidence that I was guilty, and eventually they stopped hassling me. But it left me unemployed, a permanent "person of interest" to the FBI, and unable to get a job in any comparable position because employers assume that my firing was justified and (if they heard about it) would assume I was guilty of the cracking.
wow. seriously wow. you fuckers
I once worked at a real estate company for five years and was let go. One of my responsiblities was to back up some of the mortgage documents we received to CD-ROM (this is late 90s, BTW, for a top ten lender). As they let me go, they asked if I wanted to clean out my desk. I told them they could do it. One of the things they brought to me was the entire archive of CDs of all the mortgage docs, despite all the labels I had put on the CD binders marking them as company property. I had to convince them that the CDs were their property, not mine.
Carry a stick with a truecrypt container. Main/Hidden partitions, tax forms, medical stuff, credit card disputes, etc in the main partition. You know the drill.
As you go about your daily work, you will run across some data that could be useful; take it and store in your similarly encrypted container at home.
It's even easier if you are in the habit of taking work home with you. Even on a laptop with corporate spyware, you can yank the HDD and mount it in another OS. Or boot from a stick, then do the transfer as you need.
The day they fire you, thank them politely for the time you worked together, take your things, and leave.
1: If you treat employee's like crap they will
A: If they've taken the steps to be marketable, they Leave. The end result is you're left with mediocre and down.
B: If they feel trapped, they act out. This can be as damaging as getting a gun and shooting the joint up, or as insidious as coming up with a LEGAL way to make money from you or destroy your books.
C: If they feel helpless, they retreat inward into a self-destructive cycle and ultimately cost a lot of money or start looking.
2: If you force your employee's to work overtime while on salary, and ask them to do tasks that are not befitting a salaried worker, you can expect them to keep track of what they are doing, find a lawyer, and sue for overtime pay. You do not want to be on the receiving end of a state police investigation for instituting policies that lead to unpaid wages.
3: If you do things that are illegal, you can expect your employee's to reciprocate. Which means your sysadmin is free to grab your sales guys OST files or install a keylogger so they can logon and spider their webmail account then sell it to the competition. The way you know this has occurred is your sales start to drop.
4: If you do things that are illegal, you can expect your employee's to respond by contacting law enforcement or blowing the whistle and asking the government to fine you and take a cut. This is especially true for tax accountants.
5: Most companies DON'T document their systems. Which means if you fire a sysadmin or programmer, you can expect back-doors to be all over the place, possibly easily-guessable ones that can be exploited from a coffee shop. It also means if you hire a contractor to come in and clean-house, there's a good chance he'll charge you 5-figure's to do so and after your new sysadmin has been trained it was probably cheaper to hire a new sysadmin, train them, THEN fire the old one or give them 2 months notice. Or you could just talk to them or do the math and institute a "I'm giving you X dollars and X hours per day to study for X certification, if you do not pass....".
6: Most companies DON'T keep track of what systems access is being used for. So if you're stupid enough to give a programmer domain admin access, and they copy the source code to your app and sell it at market, you won't know but more importantly, you won't know who.
7: If you treat an manager badly, it may result in that manager intentionally instituting policies that will destroy your contracts, your operations, your business, your facilities, or your books and, if you don't have good controls, you will not notice until the damage is done.
8: If you ask your employee's to shovel dirt under the rug, then proceed to fire them, you can expect them to tell other people where the dirt is at.
In short, Shit always rolls down hill, but the smell always rises to the top.
Right.... Out of all the possible scenarios for taking corporate data with you upon your termination, the one that seems most viable and useful is taking customer contact info, assuming you're in a position to use it yourself.
The paranoia of stealing confidential data to sell to competitors is probably the LEAST likely to actually happen. Like you said, anyone doing such a thing would put themselves at high risk of being arrested, if word got out they supplied the information. (And they'd have to live in fear of that for MANY years after the fact, which might be just as bad as actually getting caught!)
You don't even have to be in sales to want the customer data. I once worked for an on-site PC service company where the owner seemed really paranoid about one of us taking his customer data and using it to bypass him, and work directly with his clients. Honestly, I never had ANY interest in doing such a thing myself, because among other things -- I just enjoyed getting dispatched to do the calls, without all the hassles of doing the taxes, the accounting, the advertising, and the bill collection if/when someone didn't pay. One day, he found out he was losing his office space suddenly, due to circumstances beyond his control. That was SUPPOSED to mean we'd still carry on business as usual, except I wouldn't have a physical office to report to in the morning or when calls were done. He was going to work from home for a while and call me to do what was needed.
Unfortunately, it also meant he had to let go of his office assistant ... and she needed to find another job. One of his customers had recently mentioned to her that he could probably help her find work if she ever needed it, so she went through his customer database to get that guy's number, before her last day of work.
Well, the owner discovered someone had accessed that data and immediately assumed it was me, so all of a sudden, I get a threatening letter in the mail from his lawyer, when I was just sitting there wondering why my phone hadn't rang with any customers to visit yet!
After that? Yeah, I contacted as many of his customers as I knew how to reach (WITHOUT using his data!) and informed them I'd be opening my own on-site business. I still run it to this day, and he shut down his company years ago.
When I lost a job to a layoff a few years ago, I left them with a list of accounts and passwords that they needed to change to make sure I had no access to their systems anymore. I had firewall passwords, root passwords on a number of business critical and other accesses that could have been used to shut them down. I assumed that they actually had disabled or changed all my accounts, at least until about 18 months later when I got a phone call...
"Hey, do you have that admin password for the firewall still?"
"You are kidding me right? I left all this information with you when I left 18 months ago and you are only *now* getting around to this? I don't have this information anymore because I left it with YOU." (Even if I did there was no way I would tell them...) "But I can help you recover the password if you want to hire me. Let's see, $100/hour plus expenses, minimum 5 hours paid in advance...." They never called again after that.
Seriously it is really bad to even think you can just walk of with proprietary information or do damage to some business because they let you go. I would consider it STUPID to even consider doing something like that. It's very likely that they will be able to figure out what happened and who was responsible, then turn you in to the police or just sue you directly. Either way is bad enough...
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Once again like I've said before you better take care of your IT guy. The company I worked for prior to where I am now forced my supervisor to sign a contract because they were going to pay for his training to move to new servers and give him a raise if he passed. Well he did and they didn't so he left and NO ONE at the company had any passwords for any of the 5 servers. So they ended up contracting him for 1 week to train me and give up the passwords. Bottom line TAKE CARE OF YOUR IT GUY AND KEEP HIM HAPPY.
How about making your employees happy so that they don't want to screw you when the are let go.
Its interesting to note that many employers fear this kind of employee to a greater degree than someone who grabs the blueprints and tries to sell them to the competition.
Have gnu, will travel.
So, they asked 7 people?
In the handful of companies that I've worked for doing IT, whether I left voluntarily or was canned, I somehow still have access to ALL of their systems. They took away some of my logins, but most of them are still intact, and the main admin accounts apparently never have their passwords changed. Kind of scary to think that they don't know and/or don't care, especially since I'm pretty sure I came off as the type of crazy bastard that would come back to haunt them if they pissed me off. As it stands, I have full access to two large hospital networks, the local ISP's network, and a local major oil refinery's network. Kind of looking forward to the day that I have nothing to lose and go to town on all that jazz...
In Soviet Russia, dot slashes YOU!
"walking out with proprietary data" and "walk[ing] out with stolen data" are two completely different things. I have a multitude of things stored on a USB key I bought that, were I to be fired, I would walk out with. Would I have stolen the data? Not at all. Just haven't gotten round to deleting it yet. Surprise, surprise, the headline does not match up to the summary or article.
People need to understand that if you handle the situation right and give someone severance, etc. then things usually go smoothly...even though they may feel a little angry. Also, there's no point to screwing over the company by explicitly sabotaging it...that's considered criminal activity and you can go to prison...think about it.
I do agree that people can create tools and processes that are known only to them and nobody cares as long as the business works. However, more often than not, companies don't properly evaluate the dependencies and layoff people based on cost savings.
Corporate sabotage is just plain stupid, but I do think that making yourself valuable is within reason.
I'd walk out with enough to be able to field the 2:00 AM calls from whoever was left if they needed help. I feel no spite whatsoever toward the systems that I've built over the years, and even in the cases where they were purely work for hire and I got thrown under a bus afterward (which has happened), I'm not going to do anything dishonest, nor even through inaction have an effect on the people left behind that I wouldn't be proud of later on. I've never had any expectations from corporations and the people that run them to be anything other than corrupt, soulless machines. Having that in the back of my mind while making decisions up front about what to do for them and what to expect from them in return has made my life a lot more pleasant, and easier.
I know that Americans hate this kind of thing, but why not have an order of IT, like there is for doctors or lawyers ? Face it : no technological tool will make it even difficult for a sysadmin to have a copy of confidential corporate data. You have to rely on morality and goodwill, which is hard to enforce technologically.
Have an order whose member accept to follow a strict code ("Delete copies that you own, signal any accessible sensitive data, do not talk to anyone about the content you saw..." ) that would make them suitable to work as trustworthy sysadmins without risks, just like you know you can trust a doctor to not tell everyone you have AIDS if he sees that when you donated blood.
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
Oh, great. My old employer launched several waves of layoffs which culminated in closing the west coast office. The very first step they always took was to separate us from our company laptops and confiscate them. We always thought that was SO anal. I don't think so any more!
With background checks you have insurance against this because you know where all of their family members live...