Government

Firing of IT workers over security leak is upheld


It seems the firings of two IT workers at Ohio University last August has been upheld. Tom Reid, former director of communication network services, and Todd Acheson, former UNIX systems manager, were fired after security breaches exposed 173,000 files containing Social Security numbers, names, medical records and home addresses.

The two were not found guilty of, nor were they even accused of, intentionally putting data at risk, but the University Provost stated that they "failed in their responsibility for designing and maintaining a secure network."

Lawyers for the two ex-employees say that Reid and Acheson had been "submitting proposals for years that would have prevented the problems, but the higher-ups at the university refused to implement or fund them." That scenario is not difficult to imagine. If you've ever been in IT and tried to push an initiative through executive management, you know hard it is. This happens very frequently with business continuity issues where top brass doesn't want to spend money on "what-if" propositions.

Do precedents like this scare you? Or do they happen all the time but just don't make the courtroom?

About

Toni Bowers is Managing Editor of TechRepublic and is the award-winning blogger of the Career Management blog. She has edited newsletters, books, and web sites pertaining to software, IT career, and IT management issues.

46 comments
homeroast
homeroast

Love the hand-me-down blame! I would get an attorney forthwith, particularly a hungry attorney. Pull the proposals and the printed out copies of submissions and rejections. If you're going to get fired, might as well get a good retirement out of it. I am a company man, and believe in loyalty very much. But scapegoating deserves an appropriate response, and you've just read mine...

wayoutinva
wayoutinva

and being able to get things done in a business or educational setting. Windows could be locked down nice & tight..but would people be able to do much on the network..then the politics start over who needs access to what..and the poor admin(regardless of the os used) since he/she does not "own" the network either plays along with the politics or probably is out of a job. How many of you face that delima everday...?

Tom Olzak
Tom Olzak

Putting aside politics for a moment, there is always a balance between security and operational efficiency. The job of a security professional is to identify risks and make recommendations to management. Business managers as the owners of the data must make the decision whether to reject, accept, transfer, or mitigate the risk. Where was management in all this?

boguscomputer
boguscomputer

Yes, management's role is important here. I'm rather surprised by some of the responses, about how everything should be cc'd to a home computer. While I can understand the desire to do so, and certainly some type of record is necessary, it seems to me that cc'ing home important discussions in an organization adds a very large additional security hole for those corporations!

SkatingZebra
SkatingZebra

Several posters have mentioned how security policies can interfere with normal work. This is always the case, and it's never going to change. In many cases the people in charge of the I.T. team don't realize the risks in not implementing security policies, or in circumventing them. Also, anytime you have a large company or organization with a computer infrastructure, they immediately become a target. The only way to completely secure a system is to remove it from any network with external connections, and then put armed guards at the entrances to any entrance to the server room. Even then, guards can be bribed. These firings set an extremely dangerous precedent for more than just I.T. folks. If security people are going to be held accountable at this level, they will have to be much more severe with their security. They will have to have total and unquestioned control of everything within the I.T. infrastructure and will have to lock everything down to the point where productivity will become severely degraded. They'll also have to have lawyers to ensure that, if their recommendations are not implemented or their decisions are overridden, there is a record of who vetoed their suggestions and policies. Since they can get fired at any time for any breach of security, many people will bail out of the I.T. security business; the result will be that those people who remain will demand salaries far above average (required to pay all those legal bills and have a nest egg in case something goes wrong), which will make companies reluctant to hire them. Also, how much do you want to be that these two sue for wrongful termination...and win? That will also make companies reluctant to hire security professionals. In the end, all these firings do is allow some higher-level manager to protect his tuckus without addressing the actual problem. Great management decision there.

Toni Bowers
Toni Bowers

There were no details in the article I referenced either. I guess because the issue is being appealed. However, when I ask if the situation described scares you, in both possible scenarios--the IT pros were negligent or the IT pros continually submitted proposals for tighter security and were denied.

Deadly Ernest
Deadly Ernest

the thread is about the confirmation of their being fired. Any paperwork would normally be at the work place, and can easily be denied, and destroyed by the people who fired them. Thus leaving their arses wide open. Most places it's not allowed to keep copies of work paperwork at home.

Tony Hopkinson
Tony Hopkinson

There's not enough information in it to even make an informed guess.

dbols00
dbols00

Anyone who has ever been in a critical job knows the value of Covering Your A**. Regardless of the operating systems used, if the admins would have had the documentation regarding their recommendations (if they were made at all) they would have been reinstated. If you feel so strongly that your recommendations need to be implemented, you need to take a bit of time to cover yourself. Does their situation require firing? I don't know all of the facts presented at their hearing nor do I know their history at the university. I do know however, to become an admin, you should have learned to CYA at some point in time.

SkatingZebra
SkatingZebra

Tony, we realize that the people whose SSNs were stolen have a serious problem here. However, that's not what this post is about. It's about whether or not the IT professionals should have been fired.

Tony Hopkinson
Tony Hopkinson

the worker, there's not enough details in this article to say. May be there were tossing it off in the server room playing quake, may be they were told encryption would damage productivity, or someone important couldn't figure out decrypt. I notice this article says nothing about the poor buggers whose social security numbers are in someone's hands.

Tony Hopkinson
Tony Hopkinson

this ruling might give us more data protection. If you were a system admin, and you were told a basic security mechanism was too expensive, you're going to want signatures on bits of paper deposited with lawyers now aren't you. I Mr Admin's boss take full responsibility....

Jaqui
Jaqui

no, I think that anyone who dosn't automatically make thesystem as secure as humanly possible should be fired, for incompetence. but then, everyone who insists on using MS products at all would be un employed. MS products cannot be secured completely or even better than 75% [ rpc has to access the internet to find the code sitting on the system to run? talk about not secure and stupid, this network protocol should be using the loopback interface, not a server in microsoft's network ] so all windows admins would need to find jobs.

NOW LEFT TR
NOW LEFT TR

"As part of its efforts, the university will also deploy real-time and scheduled measures for protecting its systems against viruses on every Windows-based server." Why would you leave this out in the first place???

Deadly Ernest
Deadly Ernest

The buck stops at the top boss' office, no matter what. In any management system, it's the responsibility of the manager to ensure their people are doing their job properly, even if that means paying to have external professionals check them out at times - that's what audits are all about. Also, in any work situation, there are many management imposed restrictions via policies, funding, authority to act etc. At a university, it often requires top management approval before significant items, or parts of the IT system can be taken off line for any reason, or any changes of any type can be made. I know of one university where the IT people had to wait 7 months, until after the end of the scholastic year, before they were allowed to make an important change to the network, to improve security. Management policy was no changes during the scholastic year, for any reason. If 90% of the IT dept needs changing, then it implies that there are significant cultural, structural, and policy problems within the IT dept, and that all comes back to the senior management (those above the IT managers) doing their job of corporate guidance properly. In several educational organisations here in Australia, I've seen non IT people constrain IT operations as they were responsible for writing policies, and allocating funds. They issued policies that set out what software was to be used, based on their personal preferences and what deals they could get, not on the suitability for the intended purpose. Restrictions on what types of changes can be made, and when - often based on convenience not operational needs. Then they blame the IT staff for any performance problems created by those restrictions.

ivefallen
ivefallen

"The new organization will ensure that security is properly provided at both central and distributed levels and that all team members are focused on supporting the entire university and its stakeholders," the university said. It noted that more than 90% of its IT organization will be affected by the restructuring. As part of its efforts, the university will also deploy real-time and scheduled measures for protecting its systems against viruses on every Windows-based server." Besides, the whole issue is much less about the targeted platform as it is about security in general. It seems that from reading the articles that certain basic security standards weren't in place to begin with. So, in my eyes, one can cry and scream that "Microsoft sucks", ad nauseum but if an IT department can't spend the time and get the necessary funds to secure it's infrastructure then said department should be overhauled...top to bottom.

NOW LEFT TR
NOW LEFT TR

?MS products cannot be secured completely or even better than 75%? What a load of rubbish. Can you say with 100% (even 75%) that your Linux or other installs are totally secure ? NO. You did not write the code so you can?t. You are just at risk as the MS installs but with some invisible shield that the Open Source / Mac community are all 100% for the cause. Just because you are told it is secure does not mean that it IS secure. And just where did you get this 75% from anyway ? first I have heard. I don?t understand why Linux / Others is famed to be the be all and end all of secure computing when it can?t be proved. To prove something you would need similar install bases ? something that does not exist yet. What happens (say) the day a Linux ?flaw? hits zero-day and no person was prepared. It will happen. You know it and so do I. The key is to do the best you can and not suddenly switch your ?egg basket? from one to another. "So all windows admins would need to find jobs" - you actually see this happpening do you?

jmgarvin
jmgarvin

The difference is that the architecture of *nix is inheriently more secure. Things like user/kernel space are clearly seperated, kernel modules are a god send, and various user issues don't crop up because they CANNOT happen.

Deadly Ernest
Deadly Ernest

I also agree that no system is completely secure, and no system is inherently secure out of the box. However, the majority of Unix and Linux installations are dramatically more secure out of the box, than any MS installation is. This is due to several reasons, the most important being: 1. MS has deliberately built in security holes that they included to make it easier for their other MS applications to run better in Windows, than any 3rd party equivalent. None of these conduits exist in a Unix or Linux system. A large number of the security exploitations in Windows is via these conduits. 2. The default settings for the security related items in the majority of Windows systems is at the least secure option. While the default setting for the same items in Unix and Linux is to have them at the most secure setting. Some time back, I used to work on a high security Internet gateway, we had Linux, Unix, and Windows boxes in the gateway. A lot of them, as it had full redundancy and was well designed. Full DMZ, with AV, IDS, and all traffic going through the back of the gateway, had to be initiated from inside the LAN. Every one of the servers had to be built and hardened. Sometimes we had to replace servers due to hardware upgrades or faulty hardware. To build and harden a Unix or Linux server, took half a day, and used a 5 page instruction sheet. To do the same with a Windows server, took 2 days and used a 50 page instruction book. The big differences being, at the Unix / Linux installation process, we could select items to limit the installation to only what's needed, or wanted on the server. With the Windows, it auto defaults to installing almost everything, and you have to spend ages, going through tricky processes, to remove them. Some can't be removed, and you have even tricky processes to disabled the unwanted services. ----------- On top of this basic problem, you have the MS way of doing business, as against the method used by Unix and Open Source people. MS don't do as much pre-release testing as the Unix and Linux people. Also MS have a monthly security up date issue process, anything new, has to wait until next months release day. While open Source, and Unix companies work on an immediate fix and release for any security issues found. All up, this means that MS Windows has a lower security level than the Unix or Linux products. However, security facts will never, for the majority of people, out weight the marketing hype they see in the media. So people will continue to buy the less secure MS products, as they have better marketing people, with bigger marketing budgets. edited to fix a couple of typos

Deadly Ernest
Deadly Ernest

so it's not hidden. I also know a few people who've worked on the kernel, and they assure me (yes I do trust them) that no such code is in the kernel. Mind you, it's possible for some of the corporate variants to add extra code in to allow this, but I've not heard of a case where they do. Some do have availability of remote access available as applications that operate outside the kernel, and have to be specially selected for loading at installation, or later.

NOW LEFT TR
NOW LEFT TR

that there is not such a system in *nix, but hidden? You don't.

Deadly Ernest
Deadly Ernest

The default installation setting of the Remote Assistance, to allow MS come in and access your system any time they like, all they needs is the IP address. To turn this off completely, by disabling every aspect of it, takes about 15 minutes by closing down various services, applying complex passwords, and locking the accounts. You don't get this with any other OS. How can you get security, when the default setting is an open, remote access full admin account.

jmgarvin
jmgarvin

The biggest problem MS ever created for itself was using RPC for everything. What is that all about? Or they do really stupid things like write in remote plug and play (Zotob). WTF? While you can secure Windows to some extent, it will never be well secured just because of the native and insecure way in which is was written...

Deadly Ernest
Deadly Ernest

but the defaults for the desktop have stayed in the open setting. they claim they'll be closing them in Vista. This still begs the question - Unix, and most DOS based software, had these things default set to the secure options, and they've been pointed out as issues since W95 was released, WHY HAVE MS TAKEN 10 years to react? Makes you wonder, if they had some ulterior motive in having the systems unsecured. Setting some of these setting to the secure option as default, still doesn't close off the designed holes for exploitation by MS applications. That was a bad idea from day one, yet they still have them, and they're still causing problems, over a decade later. I've made Windows servers and networks secure, but it's taken three to five times the resources to do when compared with Unix / Linux set up. It also takes about triple the administration to maintain. With one W2K Adv Svr set up, every patch applied to Windows crashed the system. We soon learnt to not apply patches until we had a super critical one to apply. Then we rebuilt the system, applied all SPs and patches to date, THEN we spent two days hardening the system. The troubled turned out to be, in order to harden the system we removed and closed off services that made the system vulnerable, and some were needed for MS to apply the patch. Great way to do business.

Kjell_Andorsen
Kjell_Andorsen

But even though I'm not exactly a big fan of MS, they have gotten better. Windows Server 2003 was a big step forward security-wise compared to 2k and NT. For instance 2k3 comes with the vast majority of services disabled by default. A properly administered WIndows Based network can be pretty dang secure, but it usually takes know-how and resources.

Tom Olzak
Tom Olzak

It doesn't matter whether you use Microsoft products or not. There's no such thing as a 100% secure network (unless you power it down). In my opinion the only instance in which someone should be fired is if negligence can actually be proved. The compromise of data should not automatically lead to the assumption of negligence.

Kjell_Andorsen
Kjell_Andorsen

As a network admin I have to get approval and funding from management to implement many security measures. In this case it *seems* as if the fired employees had tried to secure the funding for security measures on multiple occasions, but been shot down. It's fine and dandy to say it's our job to make the network secure, but without the $$$ and management backing we're often forced to make do with less than perfect solutions.

stress junkie
stress junkie

It doesn't require a purchase order to tighten file access security. You can keep in touch with new security issues by reading information at various computer security web sites like securityfocus.com. Staying on top of these issues helps you to let your end users know about problems that they can avoid simply by their own actions, such as turning off the preview pane in your email client or not opening emails from strangers. You can implement some open source stuff behind the scenes such as having an email spam filter on a machine that you retrieve from a storage closet. You can do the same thing with network intrusion detection, web proxy, web "nanny" software, performing your own penetration testing, and many other activities that do not require the purchase of any hardware or software. You can easily tighten up wireless networks by having a set of MAC addresses to serve DHCP addresses and deny any other computers a network address. You can ensure that your wireless network is using WPA2 encryption with a very long string as the preshared encryption password. You can put steel plates around WAPs to reduce the signal level that is going outside the building or into another business' airspace in the same building. You can check log files on your systems for problems that could indicate that software is being installed or that people are trying to hack into a system. This is a short list of activities that all system adminitrators should be doing on a regular and frequent basis. None of these activities requires the expenditure of money. You can do a lot to improve security wthout spending money.

stress junkie
stress junkie

That article doesn't have enough details. I was only referring to open source for free solutions. That shouldn't need anyone's approval because we are talking about intrusion detection systems and that sort of thing. I broght this up in response to the argument that management might not approve funding of IDS or web proxy or whatever systems. I think that we probably agree. I just wanted to make a partial list of things that you could do for no money and without anyone's approval.

Kjell_Andorsen
Kjell_Andorsen

Nobody said there's not alot of stuff that CAN be done, much of it at low cost or free, but there are numerous other issues involved with this, in any business such changes still need management approval to be implemented, and often management is leery of open source and freeware solutions. In the article it states that:"Lawyers for the two ex-employees say that Reid and Acheson had been "submitting proposals for years that would have prevented the problems, but the higher-ups at the university refused to implement or fund them." Without knowing the exact nature of the network breach it's hard to say what could or should have been done. But based on currently available information it appears that management failed to follow the reccomendations of the technical staff, then blamed the same techs for not doing what management would not let them do.

Jaqui
Jaqui

security by at least 50% get rid of microsoft software everywhere possible and go with FREE open source. training is a non cost issue with CURRENT versions, it's very hard to tell the difference if you don't look at logos. a few man hours to rewrite macros into javascript for open office from the ms office vbscript. reduction in costs for security software are immediate, no virus threat, no spyware threats, no adware threats, same software for your hardware firewalls is on every open source workstation, so ENTERPRISE class firewalls free on each workstation. you can even be kind to everyone running windows and use an antivirus scanner to remove the viruses they have in their files.

Kjell_Andorsen
Kjell_Andorsen

Your unconditional rejection of Microsoft products and seeming unconditional embrace of open source is too biased and one-sided, and also not practical in a large organization where Microsoft whether you like it or not is the preferred choice for a host of reasons, not only security. Also in this case I'd like to point out that one of the people fired was the Senior UNIX admin, so it appears MS softwarewas not to blame. Also if everyone were to switch to Open source you'd see more malware and viruses targeted towards linux and other threats. Your passion for Open source is commendable from an ideological point of view, but not very practical

Deadly Ernest
Deadly Ernest

the only rounds that can penetrate them are high velocity Depleted Uranium armour piercing rounds, available only to the military, for use against special targets - highly regulated. Simply put, we can't kill the bureaucrats as we can't get access to the right weapons to do it.

Jaqui
Jaqui

are a crime against humanity by default and are subject to immediate execution on site. The NUREMBURG TRIALS proved that and set the precident. ]:) so kill the beurocrats and do what's right.

Deadly Ernest
Deadly Ernest

write policies that limit what you can, and can't, do with the network. These usually include lists of what can and can't be installed.

techrepublic-goo
techrepublic-goo

Management has to blame somebody. Been there, seen it done quite often.

shinderpaljandu
shinderpaljandu

This sure squares me. Like a totalitarian state. Vague "accused of, intentionally putting data at risk, but the University Provost stated that they "failed in their responsibility for designing and maintaining a secure network."" Like a Moscow show trial. Tratfor www.tratfor.com www.adgerlinux.com

kumar_janardhan
kumar_janardhan

This is not a good trend. If the provost can prove beyond a shadow of a doubt that these two could have taken reasonable steps to prevent the loss of data, then he is right in firing them. Its obvious that this person or persons are totally ignorant of how IT security works and how effecient hackers are in bringing systems down. Then again, no matter how good we are, there are a 100s of times more hackers out there trying to overcome the best security every night of the week and then the weekend. The questions is: Were these two employees given the best training available regarding the latest in security? What tools were put at their command to help them do their job ? To me it just looks like finding a convenient scapegoat to avoid the spreading of blame.

georgeou
georgeou

It's very possible they were just being scape goated. Then again a lot of security measures could have been implemented without extra money if you're talking about salary employees. It's very complicated and we would need to look at the specifics in the case.

stress junkie
stress junkie

I agree with you. We need more details to discuss this case in any detail. All that we can really do is discuss what appear to be related issues, and then only in very general terms.

Tom Olzak
Tom Olzak

I agree. I make sure my security analysts keep a document trail, even if it's only email, about every interaction with data owners. We also have a formal process for projects and vulnerability assessments in which we formally document risk and recommendations. The documented recommendations are presented to the relevant data owner for signoff. This signed documentation is kept in a locked cabinet. And this is in an organization in which trust is a core value.

stress junkie
stress junkie

When I have worked as a direct employee I would routinely cc my own personal home email account on emails where some issue was being discussed. Now that I am independent it is easy for me to keep a copy of emails that I send to customers. Any direct employee should have their own personal copy of critical emails kept at their home. I agree with Tony H. that the employees should have been able to produce a substantial amount of documentation showing that they had attempted to address problems over a long period of time and that the management had somehow prevented them from implementing adequate security policies and procedures. Keeping your own records is important. Documentation of your own work is always an asset.

TonytheTiger
TonytheTiger

because the state of Ohio recently implemented a mandatory six-month retention period for email for its employees (I wonder why... :) ).

w2ktechman
w2ktechman

I file everything in personal folder files (.pst) in Outlook. Periodically I copy these to CD. Then I take the cd home (dated). But I also keep a backup copy on an external HDD which has all .pst files on it. and I keep that in a locked cabinet at work.

Tony Hopkinson
Tony Hopkinson

some documentary evidence to their proposals, course that could have got lost as well. As you say more data required.