The french version of this article was posted in 2007 on Direction Informatique.  It’s still used for Awareness.

—————————————————————————————————————-

Imagine that you have to fire your building’s superintendent and all the headaches involved.  First you have to think of the various rooms he has access to, from the furnace room to the broom closet, including the pool locker rooms.  He may return the keys before leaving, but how do you know that he doesn’t have duplicates? Do you have to change all the locks?

The precautions to be taken in this situation are similar to those required when a system administrator is dismissed.  Administrators generally have control over a huge set of technological resources, and therefore wield great power.  Therefore, these tasks need to be divided up among several different people, so that they are not all concentrated in the hands of one individual.

Fortunately, dismissing a system administrator is not a routine occurrence.  But it may be required for a number of reasons: an acquisition, outsourcing, workforce reduction due to reorganization or simply an attitude problem.  The last reason is not unusual for this type of employee, who is generally well aware of his or her strategic role in the organization and the resulting power conferred. 

Preparations required

Although dismissing the system administrator is not a frequent occurrence, it can have a major impact on the smooth running of an organization and careful preparation is crucial! First, all access and equipment the administrator is responsible for must be carefully documented.  Keeping a master list for this purpose is advised.  Such a list will vary depending on the firm but in general will contain all IT systems, including workstations, applications, telephone systems (landlines and VoIP) and everything involving telecommunications (Internet access, firewalls, etc.).

Therefore, you must ensure that the administrator hands over voice mail codes, access cards, RSA keys, cellular phones and any machines and devices that are used or kept at home or in the office. A conscientious administrator will cooperate in this process to keep his or her reputation intact and avoid being wrongly accused of sabotaging the firm’s infrastructure.

While the administrator is being informed of his or her dismissal, a special team should get busy changing as many passwords as possible.  They should focus on the most important ones, since asking all employees to change their passwords is a delicate business and creates an unnecessary commotion in the workplace.

In addition, management should be notified so that they can draw up a communications plan to explain the situation to personnel, to preserve the firm’s reputation, among other things.  In addition, succession planning is required so that a replacement is ready as soon as the administrator has left.  After the changeover, it is wise to check logs and firewall access rules regularly and more carefully than usual.  In addition, the firm should hire an external specialist to conduct an audit one month after the administrator’s departure.  

Another approach to consider: notify suppliers that the administrator was in contact with in order to avoid the unfortunate consequences of vengeful acts such as orders placed for no reason or the cancelling of expected orders. 

There is also a role for prevention.  Include confidentiality, secrecy (non-disclosure) and non-competition classes in administrators’ employment contracts—there is no downside to this. In addition, it is better to require long, complex passwords that are ideally changed every three months and annually at a minimum.  Above all, it is crucial to not put all the organization’s eggs in one basket by entrusting a single individual with too much power. 

The french version of this article was posted in 2007 on Direction Informatique.  It’s still used for Awareness.

—————————————————————————————————————-

Recently, a senior manager at a firm was flabbergasted to discover, based on a system vulnerability and penetration test, how much information on her organization was circulating unofficially on the Web.  This information was coming mainly from employees’ posts to discussion groups made under company email addresses. 

The opinions expressed not only were beyond the organization’s control, despite the fact that they were made from email addresses bearing the firm’s name, but in some cases they even ran counter to management’s positions.  It is not farfetched to imagine how much harm this could do to the firm’s reputation, not to mention the possible impact on share prices in the case of a public company.  Managers must realize that it is very tempting for employees to use company systems for emails since they are usually faster and easier to use than public email systems, particularly free ones.

In principle, an organization’s email addresses should be used strictly for company business.  All opinions expressed by an employee about the employer, its products, suppliers or any other subject are personal opinions that should be sent via a personal email address from an Internet service provider such as Sympatico or Videotron or provided free of charge by organizations such as Google, Hotmail and Yahoo. In addition, it has become increasingly common to register your name as a domain—

for example, Dicaire.com or Dicaire.ca. A permanent address with the format firstname@lastname (e.g., benoit@dicaire.com) can also be used and is ideal for personal communications.  

Avoiding the unnecessary use of the organization’s email system reduces the risks of tarnishing the firm’s image and affecting the performance of its information systems (a high volume of personal emails may cause slowdowns).  It is essential to include guidelines to this effect in the firm’s security policy.  Clear rules must be set before any disciplinary or technological measures involving personal emails are applied:  otherwise, this is akin to issuing a highway speeding ticket when no speed limits are posted. 

It is up to each organization to decide how far it will go in allowing personal emails on its systems.  Management must approach the issue in the same way it deals with personal phone calls and faxes.  Any leeway granted in this matter will depend on the organization’s specific culture.

It is also crucial to keep in mind that, by reading your email on a Web interface connected to an external system not belonging to the organization, you risk infecting your workstation with a virus or spyware, which will then spread over the entire system.  

The objective of allowing some flexibility in personal emails is to maintain an acceptable level of productivity without antagonizing employees or undermining morale.  An interesting alternative adopted by some businesses is to install cubicles with workstations—in the cafeteria, for example—where employees can send and receive personal emails.

One thing is clear, however: our work tools belong to the organization, as does the results of our work, including intellectual property.  Our actions must comply with the organization’s confidentiality and secrecy policies.  The same obligations must apply to contract employees and partners working in the organization’s offices.  

The french version of this article was posted in 2007 on Direction Informatique.  It’s still used for Awareness.

—————————————————————————————————————-

A friend called me recently to ask my advice on hiring an information security adviser.  He had just had a bad experience with this, having hiring a specialist who did not meet initial expectations.

The more details he provided, the more I realized the crucial mistake that had been made: the adviser had been chosen almost exclusively for his technical skills.  Little emphasis was put on his overall abilities, attitude and aptitude for teamwork.  The result was this person did not succeed in fitting in with the existing staff or in communicating his ideas effectively.

One of the main qualities required in an information security adviser is to know how to avoid conflicts.  Other staff tend to see the security specialist as someone akin to a police officer who often has to forbid things in order to impose order.  In this environment, specialists must use tact to avoid ruffling the feathers and offending the sensibilities of employees set in their ways.  In fact, some studies of priorities in personnel selection put technical skills in third place behind initiative and cognitive skills.

Do your homework

The first step for an organization contemplating hiring an information security adviser is to carefully assess the current staff, and determine if their skills are mainly operational, tactical or strategic. The adviser’s qualities must complement those of other employees.  IT personnel are like a hockey team and you need a successful mixture of people, including journeymen to support your stars.

Knowing how to work as part of a team is essential.  Does the adviser have the flexibility required to adapt to this particular working environment? To make sure, first consult your own references rather than those listed on the candidate’s resumé.  It is also useful to require examples of candidates’ past deliverables in order to verify their ability to express their ideas clearly and communicate with management.

Check technical skills, too

Whether a candidate’s experience is relevant is another key element in selection. If the tasks you expect to assign the adviser involve such things as applications development, business continuity plans, legal compliance, criminal investigations or ethics, you should ensure that the candidate is well versed in these areas.

This is where technical qualifications come into play.  To assess these, focus on things such as the certifications the candidate has obtained and his or her knowledge of risk analysis methods (AS/NZS 4630, MEHARI, NIST SP800-30, Octave, etc.) and frameworks and best practices (CobiT, IATF and ISO 27000).  Organizations must think in the long term.  An adviser may be able to deliver the goods in the current project, but will he or she be able to do so in subsequent projects?  Ask the candidate about his or her professional development plan, which mainly involves memberships in associations such as ASIMM and ASIQ.   

Information security is a tricky field and taking the proper precautions is essential.  Firms must scrutinize the candidate’s past history to ensure he or she has no criminal record or major irregularities in his personal credit record.

Information security people pride themselves on spending 80% of their time communicating.  In addition, the field is evolving in contexts that are forever changing and that involve substantial political issues.  The situation is complex, and requires being able to count on an adviser who has not only high-level technical skills but also a great capacity to fit into various teams.  

The french version of this article was posted in 2006 on Direction Informatique.  It’s still used for Awareness.

—————————————————————————————————————-

Against the inevitable backdrop of information security, the proliferation of electronic sources and the passwords that protect access to them can become a burden for users and for organizations. Fortunately, there are ways to make life easier.

Human beings have been attempting to keep their information protected for ages. In Roman times, Julius Caesar is said to have encoded his military messages. He allegedly used Rot(ate)-3 encryption: a system whereby each letter in the alphabet is replaced by the third next letter.

Similar systems are now used to create the passwords that we use to protect electronic data. In light of the many means that are available to crack passwords and to gain access to systems that contain confidential information; many organizations have strict rules governing them.

Of course, it can sometimes be quite easy to guess a password. You just need to know a little bit of information about the person who created it. For example, you could try the person’s first name, or the name of the person’s spouse or child. For a numeric password, a cracker is likely to try the user’s phone number or Postal Code/Zip Code.

That’s why organizations generally prefer to follow strict rules for passwords: these rules include using a combination of uppercase and lowercase letters, numbers, and punctuation marks. It’s also a good idea to replace some letters with symbols, such as replacing ‘a’ with ‘@’, replacing ‘i’ with ‘!’, replacing ‘s’ with ‘$’, etc.

It is also more secure to create a password using the first letter of each word in a sentence. That way, you avoid using a word that is in the dictionary, which can be decoded using a program that tries every word in the list. Similarly, you can deliberately misspell a word.

Human memory – The ultimate security breach

The next problem is remembering the passwords. In today’s world, with the proliferation of computer systems and applications, remembering passwords can be a real headache. As a result, many users write their passwords on a slip of paper or a notepad that is kept within reach in case it is needed. In fact, I recently came across a colleague who had scrawled his password on a piece of paper that was hidden under his keyboard. This type of situation is all the more common when passwords expire on a regular basis.

As a result, many have observed that enforcing strict standards for passwords does nothing to bolster security. Where is the security if one can determine someone’s password just by reading the notes that are stuck to the computer screen or by getting one’s hands on the person’s agenda?

One useful trick is to use the same password for all systems and applications whenever possible. This makes remembering the password much easier. This technique works particularly well for passwords that don’t expire, which is often the case with general public applications such as websites or e-mail systems. For extra security, you can add a suffix to each password, such as “sy” for the Sympatico website or “hm” for the Hotmail e-mail.

However, the most effective solution is password management software. This type of software should enable passwords to be stored securely on a personal digital assistant, a smart phone, and a PC, and should allow for synchronization of these devices. You can even include your bank PIN, you passport number, your driver’s licence number, etc. 

But be careful – you must change your passwords quickly if you have even the least suspicion of malevolence. It is also wise to never disclose a password to anyone who asks for it.

Password management is a critical task at every organizational level. Like information security in general, password management is everyone’s business – from the individuals and organizations that own the information right down to the end users.