Held Hostage by a Dishonest Employee

Posted on 16, Sep | Posted by Russell W. Gilmore, CISSP, CISM, EnCE

power shiftI recently was involved in a case in which a company employee was discovered using a company credit card for personal reasons. This happens occasionally, and one would think that immediately terminating the employee would resolve the issue. But what happens when the employee is the one and only IT person for the company?

Many companies have only one person to manage all of their IT needs. There is nothing wrong with this. Considering that 99.7 percent of U.S. employer firms are a small business (http://www.sba.gov/sites/default/files/FAQ_Sept_2012.pdf), having a sole IT person may be very common. The problem with this situation is the lack of oversight and management of the IT person by company executives and owners. What are the consequences caused by this scenario? How can companies and organizations prevent the backlash experienced when a single person has the “keys to the kingdom”?

This issue can occur in any business with a small IT staff. This particular case involved an employee who had been with the company for eight years. In that time, the employee came to be the only person who dealt with all IT issues. He managed the website, the phone system, the internet service, all servers, all workstation, the data connections for multiple facilities – you get the point. The employee could have brought the company to a standstill for several days if not several weeks, if he had wanted to do so. It was not until deciding that he needed to be fired that someone finally asked the question “What does he do and can we do it without him?” The answer was, “No.”

In this case, the employee was being terminated for cause. What if he had been hit by a bus? The company would still be in the same position. The only option left for the company was to hire someone to come in and inventory the network to help them prepare for the employee’s termination. This involved hundreds of man hours. Fortunately, the transition was successful and the company lost no production time.

There are several steps that can be taken to prevent this from occurring in your business. The person responsible for a company’s IT needs should document everything and provide this documentation to management or ownership in a reviewable format on a regular basis. This document should be considered a living document, and any time there is a network change or system change, the document should be edited to reflect the change. The document should include but not be limited to:

  • A list of service providers and all information needed to contact this service provider for support or changes. This includes the Internet service provider, phone service provider, web hosting company, cell phone provider, cloud services, or any other service provider used by the company.
  • Administrator passwords. These can be sealed in an envelope and/or put in a safe.
  • Device passwords and configuration. Think about firewalls, switches, wireless routers, and other equipment.
  • Software passwords and configurations. The IT administrator may be the only person aware of specialized software used in the office that requires specialized configuration or passwords. Make sure this information is documented and available to company executives.
  • Procedures for backing up and restoring systems.
  • A “What if…” document. This document would include instructions on how to deal with and recover from system outages, power outages, or other unique IT failures.

Depending on your network, the information needed in this document will differ. The best way to determine what you may need to document is to sit back and think of the problems created if your IT person were gone. What questions would you have? The document should answer all of these questions. It is also important to make the person responsible aware that this document is a “Continuity of Operations” document. There are many reasons why an IT employee may not be able to come to work, but their absence should not disable any part of the IT infrastructure.

It is also critical to make sure there are two people on the point-of-contact list with all service providers. The second person on the list should be an owner or executive of the company. If the IT person should be unable to perform his or her duties for any reason, the executive or owner of the company can call the service provider and make necessary changes without jumping through a lot of hoops to gain ownership of the service.

Finally, have a third party review this information at least once a year. That third party could be an outside consultant or even a current employee with knowledge of the network and need for business continuity. An outside consultant has the advantage of being objective when looking at an environment and utilizing their experience to help direct and drive a “Continuity Plan” that will protect the company in the event of any number of unexpected events.

Continue reading

RMA Presents Bring-Your-Own-Device Policies at RTP CFO Forum

Posted on 6, Sep | Posted by RMA

Chris Peterson and http://www.rmasecurity.com/about-rma/team-profiles/russell-w-gilmore/ presented BYOD (Bring Your Own Device): Issues and Implications for Companies at the September RTP CFO Forum. The program discussed security issues and considerations for companies when employees connect personal devices to the company network. What issues need to be considered to accommodate lawsuits, audits, and records requests? How can companies prepare for lost or stolen devices? What steps can and should be taken when terminating employees?

The RTP CFO Forum serves the greater Raleigh, Durham and Chapel Hill region, supporting over 200 senior financial executives. The Forum is designed to provide interactive networking and discussion of technical and strategic topics in an environment created exclusively for senior-level peers. CPE is provided on select topics.

The RTP CFO FORUM is scheduled for the first Friday of every month, from 7:30AM – 9:00AM. Attendance is limited to CFOs or senior financial professionals in similar positions. The RTP CFO Forum is sponsored by Hughes Pittman & Gupton, LLP.

Continue reading

Stealing on the Way Out

Posted on 12, Aug | Posted by Russell W. Gilmore, CISSP, CISM, EnCE

Having to terminate an employee is never easy. To make the process even more difficult, consider the recent survey conducted by Harris Interactive on behalf of Courion which stated that 19% of employees age 18 to 34 would take company data with them if they knew they were about to be fired. Read the full story here.

Depending on the employee’s position at the company, the termination process could be quite cumbersome. Before terminating an employee, it is good to think about their role in the company and what they have access to or control over. Each situation is different and should not be handled in a cookie-cutter fashion. Terminating the IT manager will involve different issues than terminating a sales person.

What steps can you take to minimize risk? Strong policies and procedures are a good starting point. If an employee knows that severe repercussions may result for data theft, he or she may decide against the theft.

As we’ve said before, there are opportunities for companies to preserve data and protect themselves prior to the termination process or as part of the termination procedure itself (When Employees Leave Data Should Stay). When it is evident that an employee must be terminated, steps should be taken to image the computer or devices used by the employee, even if a future computer forensic analysis is not needed. It may even be beneficial to image the computer prior to termination and again after termination. I have often been called to recover data deleted by an employee after they have learned of their impending termination.

As a consultant, I have assisted in a number of terminations, and they are all different. Proper preparation and forethought will not only benefit the company but protect the employee as well.

Continue reading

Security in the Office – A Checklist

Posted on 30, Jul | Posted by Christine L. Peterson, CPP, ISP

  • Comply with and support your company’s safety and security program and regulations, and insist that others do the same.
  • Protect wallets, keys, purses, and other personal valuables on the job. This especially includes smartphones and tablets.
  • Challenge strangers in restricted areas. The best way to approach this is from a helpful perspective, such as “Can I help you?”
  • Do not discuss company affairs off the job.
  • When leaving the office, even for a short period of time, clean up and secure your work space, with special attention to confidential documents. Also provide for the protection of company equipment assigned to you.
  • If you handle money as a part of your job, insist on positive identification before you cash checks, and refuse obviously counterfeit or questionable currency.
  • If you work in a retail establishment or any other business, guard against shoplifting and employee theft within the frameworks of the law. To deter shoplifting, speak to all customers in your area. Be wary of bulky coats, large shopping bags, partially opened umbrellas, and folded newspapers. Know your company’s policy on dealing with shoplifters, and adhere to it.
  • Make certain your employer has clear and adequate guidelines for handling complaints of sexual harassment.
  • Retain security guards, because they provide a substantial deterrent to the criminal’s expectation of success.
Continue reading

NC companies’ secrets at risk, cyber terrorism experts say

Posted on 22, Jul | Posted by RMA

In this day and age, sometimes it is difficult to discern truth from fiction. Greg Baker is an expert in the area of cyber terrorism and a leader in developing public/private relationships that work. In the later years of his career with the FBI, he was the face of InfraGard North Carolina.

InfraGard is an information sharing and analysis effort serving the interests and combining the knowledge base of a wide range of members. At its most basic level, InfraGard is a partnership between the Federal Bureau of Investigation and the private sector. InfraGard is an association of businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the United States.

We recommend this article on cyber terrorism and data theft. Both Greg Baker and Ryan Johnson provide good insight on the problem and steps that can be taken to lessen the possibility of your company becoming a victim of this costly crime. Take stock in what your company should do to enhance the security surrounding its sensitive and important data. Do some research and don’t be afraid to ask questions. It can be beneficial to have someone from the outside review and analyze the strengths and weaknesses of you company’s network and provide advice on what steps can be taken to secure your company network, systems, and data.

Whether a company works on classified contracts or not they are at risk of cyber terrorism. Most of the time, companies do not even realize that they may be a target. No one wants to find out that their systems have been compromised, but most either have or will be. How does your company address its cyber vulnerabilities?

Read the original article here.

Meat, tobacco, furniture and surgical products are just a few of the North Carolina exports booming in the Chinese market. North Carolina businesses’ secrets are also in high demand overseas, and cyber terrorism experts say many companies are not doing enough to fend off hackers.

Continue reading

Who’s Watching You?

Posted on 17, May | Posted by Emily Liner

Predators could be spying on you through your computer’s webcam. Criminals are now able to hack in and watch your every move – without you ever knowing it. Scary, right?


We’re all guilty of it: we use our computer, get distracted with something, and just walk away. We forget the computer is still on – and this is the key action criminals are counting on. Now they can access your webcam remotely, watching your most intimate moments from the kitchen to the privacy of your own bedroom. The worst part is, you may never even know.

Not only must we remain aware of our surroundings in public or walking through parking lots and decks, now we must stay vigilant in the privacy of our own home. Though there is little we as the public can do to fight crime against hacking, we are not completely helpless to this threat. The basics solutions are all ones we’ve heard before. Have good anti-virus software on your computer. Do not click any links in your email – especially the ones from “Facebook”. Because Facebook has so many users worldwide, it’s the perfect cover to trick people into thinking the link is legitimate.

The best advice is to learn more about webcam hacking to better understand the risks. Luckily, just like many other appliances and technology, there is a light or another indication that the device is on or in use. Watch your webcam light to know if it has been activated. When it is not in use, cover the lens. This physically stops hackers from watching and recording your activities.

Continue reading

What is Sextortion?

Posted on 19, Nov | Posted by Michael R. Longmire, MPA

text conversationSextortion refers to the category of sexual exploitation in which threatened release of sexual images or information is the means of coercion (Source: Wikipedia).

In recent months, we have been hired to assist clients who have made the mistake of hitting the send button and wishing there was some way to “get that photo back.” These cases normally involve men who for one reason or another engage in progressively suggestive text messaging or other digital communications with someone they believe to be an interested female, only later to find themselves paying to keep the communications from being circulated on the Internet or to friends and family members.

Typically, there is no actual intimate contact, and the request for money starts with a small loan sent through a coded Western Union payment. These amounts incrementally increase, as do the threats to expose the client’s indiscretions if the demands for payment are not met.

Federal and local law enforcement report an alarming increase in these criminal extortion cases, but find the victims unwilling to pursue criminal charges. More alarming are those cases where the victims are minors enticed in to actual sexual encounters with a pedophile who threaten them after posing as a peer interested in exchanging photos.

Successful investigations require the use of computer forensics, intelligence gathering, surveillance, and effective interviewing skills… and the greed of the suspect who will continue the sextortion until deterred.
Continue reading

RMA Attends InfoSeCon

Posted on 18, Oct | Posted by RMA

Rusty Gilmore attended the eighth annual Triangle InfoSeCon held at the McKimmon Center.

Keynote speakers were Chris Nickerson, Lead Security Consultant at Lares, Stan Waddell, Executive Director and Information Security Officer at UNC Information Technology Services (ITS), and Lance Spitzner, Certified SANS Instructor and Founder of the Honeynet Project.

The Raleigh ISSA Chapter fall conference is a great opportunity to learn more about information security, talk with companies who provide security products and services, and network with fellow information security professionals.

The conference goal is to educate attendees about information security, including executives responsible for regulatory compliance and security, information security professionals, software developers, and anyone who wants to know more about information security.

Continue reading

Apple Unique ID Numbers

Posted on 5, Sep | Posted by Russell W. Gilmore, CISSP, CISM, EnCE

iPad and iPhoneHackers have posted online the unique ID numbers for more than one million Apple devices. As claimed in news reports, the file was obtained through phishing. A hacker intercepted an email sent to several dozen FBI agents. In the header of the email were all of the agents’ email addresses. The hacker crafted emails that appeared to come from legitimate FBI email addresses and sent the email to other FBI agents in hopes of gaining access to the unsuspecting FBI agent’s computer. All that the victim (FBI agent) had to do was open the email and click on a link.

The FBI has denied this event took place or that they even possessed the list. The issue will get muddied because the primary concern will not be who hacked the FBI laptop but why the FBI had the list in the first place or why the list even exists. Until March of last year, 160 million iOS devices had been sold. The hacked list contains information on about 12 million devices and their users. Links to two news stories with more information are provided below.

FBI denies report hackers leak 1 million Apple device IDs
FBI denies link to leak of 12 million Apple codes

How does this affect you? I would not worry about whether or not your iPhone or iPad is on the list. Since the list reportedly contains information on over 12 million devices, I suspect Apple will address the issue in due time. I suggest waiting until the story unfolds and more information is available.

What may happen that is even more of a concern is that you may now start seeing emails about securing your iPhone, providing “instructions” on how to check if your device is hacked, or claiming that your iOS device is on the list. Many of these will be phishing attempts. Under no circumstances should you respond to an email that says you are on the list, not even if the email appears to be from Apple. I would take any concern you have about your device to an Apple representative. Do not rely on an unknown “Good Samaritan” offering to help you by email.

Continue reading


Posted on 4, Sep | Posted by Kevin M. McQuade, CPP

The last few years have brought about remarkable technologies in the way we communicate with one another. There are the old standbys – voice mail, email, and texting – but now people are using Twitter, Facebook, and Youtube just to name a few. These are all wonderful tools to communicate with others, but how secure are they? Nothing upsets me more than hearing that a relative of mine – or anyone for that matter – has updated their Facebook page with information like “we’re going to the beach this weekend” or “I just got home and the husband and kids are out to a movie.” If this isn’t an invitation for a crime I don’t know what is.

Is it that important to let everyone know your business all of the time? When I question these folks, they often tell me that I am just not “with the Now Generation” and I think the worst in everyone. The fact is that these social media forms of communicating are simply not as secure as a phone or face-to-face conversation. There is no way to know who is monitoring you. If you really need to let someone know your whereabouts, try something different – pick up the phone and talk to them. It’s simple, it’s secure, and it’s worked for many years.

Continue reading