A recent study by the Ponemon Institute have shown that 59% of the individuals being laid off, fired, or quit admitted to stealing company data.  This study backs up the post that I made a while back entitled “Its Not Personal, just Business.”  While it is always dismaying to have to lay people off it is an unfortunate reality in today’s economy.  What this study shows is that mission critical data is walking out the door at an alarming rate.  Where are these former employees going?  Well in most industries it is to the competition.  What would your competitor do with your proprietary information?  It is possible that they might not even know that it is your proprietary information if your former employee sanitizes it properly or “pretends” to recreate it.  Don’t think that will happen?  Well the study also showed that 67% used their former employers proprietary information to leverage a new job.  (See the Network World article on the study)  (Listen to the NetworkWorld Podcast)

When the respondents to this survey were asked why they did this, they responded that they felt the information was theirs since they created it or felt some other sort of entitlement with regard to ownership of the information.  Now couple this with survey results that 44% of the respondents indicating that they did not trust their former employer to “act with integrity and fairness”; 25% said they were unsure.  What kind of picture does that paint now?

Now you’ll never be able to completely stop this sort of thing from happening.  There are both technical and management level controls that can seek to curb data loss like this but they will never totally stop it from happening.  The goal should be to minimize the likelihood as much as possible while recognizing that complete success is unattainable. 

What you should do is identify and rectify the “low hanging fruit” first.  Address those items that are easiest to fix first and once their done begin to focus on longer term, more complex control measures.  One of the things that the study indicates is that 24% of former employees indicated that they had access to their former employer’s computer systems after they had left.  Roughly one in 5 indicating that this access lasted for more than a week. 

Immediately cutting network access and reclaiming computer equipment shouldn’t be reserved for the difficult employees.  It should happen to everyone.  Employees should be educated from day one that this is just what happens when someone leaves the company – for whatever reason.  Effort should be made to get the point across that the reclamation is not a statement on the former employee’s ethics or integrity.  Remember it is not personal, its business. 

This sounds rough, callous, and uncaring.  Don’t get me wrong, I struggle with that too however if the results of this study are anything near accurate then some action needs to be taken to address this major hole in our information protection programs.  It also underscores the point that people are both are greatest vulnerability as well as our greatest security control. 

A recent blog post on the Emergent Chaos Blog caught my eye.  This post was about Ethics and seeing as how we had a pretty good discussion here recently on that subject I thought I’d take a look see.  The article cited another blog post by Chris Soghoian concerning some research conducted at the University of Colorado and the University of Washington on the Tor anonymous proxy network.   

Apparently these researchers conducted their research in two phases.  The first phase constituted capturing the first 150 bytes of each packet that transverse their server to analyze what kind of traffic it was.  The second phase examined the source IP address to determine the country of origin.  The research can be found at this link and it was presented at the Privacy Enhancing Technologies Symposium  held on Wednesday (23 July 2008) in Leuven Belgium.

The questions raised in both of these blogs was whether the research was ethical and legal.   Apparently it may be a violation of the U.S. Wiretap Act .  Now I’m not a lawyer and in no way can give legal advice on the interpretation of the act.  I have read the law and it appears to me that Title 18, Part 1, Chapter 119 §2511 (2)(g) which says:

It shall not be unlawful under this chapter or chapter 121 of this title for any person-(i) to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public;

May either provide relief to the researchers or condemn them depending upon how the courts have interpreted it.  On one hand servers on the Tor Network are open to the public but for the intent to anonymize a Tor user’s communication as well as their physical location.  If the communication system is public but the communication itself is not does that apply?  I can see an argument if the communication is in some way encrypted but what if it is sent in the open? 

What impact could that have on research?  Is this type of research ethical? 

Any thoughts?

I had tried from direct commenting on the Terry Childs/San Francisco Network incident that has been in the news this past week or so.  I knew that so many other people out there would be commenting about the incident in their blogs so what good would one more do.  Now that the incident appears to be over for the most part I’ll say a few words.  I’ll still leave the particulars of the incident to those other blogs.  What I want to comment on is what I consider the underlying factor here which is Trust and Ethical Behavior. 

While I had strong feelings about this case, what really set me off was a piece in Info World where the author was communicating with a confidential source within the San Francisco technology department.   The author was attempting to bring more light to the subject but in the end the article essentially boiled down to: “What he did was wrong but…” 

It’s the “but” that I have a problem with. 

Now I’m typically the guy who answers “it depends” when asked a general question.  I run down the situation and the variables that need to be considered in order to get the information I need for a more precise answer.  I don’t automatically assume the worst in people.  I often try to give the benefit of the doubt to everyone – a practice that has gotten me in trouble before.  I honestly believe that all of these are good traits.  I do however acknowledge that there are situations where there is no middle ground and where the choices are truly binary (either a 0 or a 1; on or off). 

In these cases I believe that it is imperative that we, as information security professionals, strongly come down on one side or the other without conceding the middle ground.  By taking a stand on one side of this issue and rejecting the arguments or justifications contained in the “but” we can use this example to help our companies and our clients. 

The simple fact is that there is no way to prevent a situation like this.  Organizations delegate responsibility to trusted personnel to accomplish the tasks needed for a business to operate: they do not abdicate responsibility.  They have to; there is no way that any company can succeed with the constant oversight of every employee.  It is too large of a drain on company overhead.  They place a trust in us and we hold a duty to that trust.   

In the Terry Childs/San Francisco Network incident too many things were not done or handled in the right way.  The incident didn’t start with Childs either.  It started well before that.   Decisions and omissions made by City of San Francisco’s IT Department undoubtedly played a big part in the lead up to this incident.  That said I don’t believe that these factor into what has happened.  It has all come up to the point where one individual had to decide what he was going to do.  That decision was to either respect the trust that was placed in him or to violate that trust.   It appears as if he violated that trust and no amount of “but” can alter that fact. 

As with any business situation there is a risk and the risk must be managed.  Organizations can insist upon proper documentation and backups for all systems to ensure knowledge retention in the event a trusted person leaves the company or cannot fulfill their duties.  Organizations can put in place access log monitoring software and institute periodic third party reviews as the situation or area of criticality warrants.  At the end of the day though these measures only see to reduce the risk to acceptable levels.  A risk still remains however reduced.