Tuesday, May 12, 2009

Losing your infosec innocence

A lot of people talk about how cool my job must be and really want to get into the security field. Well, not that I blame them, but there are parts of this job that are really tough. And it's usually the thorny emotional painful stuff that's the toughest.

A good part of the job is keeping secrets, because as the security officer, you're privy to a lot of behind the scenes info. Often painful info, like who's under investigation, who's about to get fired, or what huge horrible screw up is being whitewashed over. And no, we can never ever talk about that kind of thing, so it sits inside of you and stews.

Then there's the especially nasty stuff, like doing forensics and analysis on what people might have thought was private. Then you uncover a lot of icky personal private details - things you warned them not to put on corporate systems (assuming you have a solid acceptable usage policy). I'm not just talking about reading emails between husband and wife at home (cuz that's happened too), but graphic sexual messages between two co-workers having an affair. The kind of stuff that makes you feel like taking a shower afterwards. And because it's not directly part of your investigation, you may delete it and move on - hopefully pretending you never saw it to begin with. At least on two occasions in my life, I've had to do digital forensics on computers owned by recently deceased friends. A lot of this kind of baggage, I pour back into the Heidi stories.

Now, no time is worse than your first time. How did I lose my infosec innocence? Although I've been in security off and on for about 20 years, and having it directly in my job title for the past eleven, I really lost my security innocence about ten years ago. I won't got into details (because you never can), but the upshot was I developed a specialized tool (now it's a standard product) that detected installs of inappropriate software on workstations. Inappropriate doesn't mean games or pr0n, I mean hacking tools and such. My tool fingered someone a co-worker. We weren’t close friends, but someone I liked and was part of the gang who went drinking after work. It was someone who I found interesting and pleasant to work with. But also someone who really shouldn't be loading that kind of software, especially in the type of secure environment we ran.

Now, I'd been involved in firings before - hard to be in IT any length of time and not be directly in the loop as someone is marched out the door. But in this case, I had to be the policeman and the prosecutor for the case. I had to present my evidence to his boss, interview his co-workers (who I also knew) and then discuss the matter with internal audit and outside counsel. Then it was left to me to damn him and advise my superiors that he be terminated immediately. They tool it a step further and called a company meeting to discuss what had happened and why this sort of thing would not be tolerated. It was totally the correct thing to do from a security perspective and the best thing for policy and morale. But I still felt like a rat. And I still feel like a rat.

This is a hard job and a lot of what's tough about it, they don't teach you in a classroom.


Not Revealed said...

Been working in the Security field for 8 years, innocence lost 2 years in.

I was a security engineer when the CISO asked me to dump a user's browser history over the network. The user had numerous violations of the AUP and was running an eBay business from their workstation. I was asked if this was an excessive use of the organization resource for personal gain, I said yes, and that sealed the deal.

Perhaps their eBay business took off or they found a new job, either way the individual had to go home and tell spouse that they weren't working anymore.

I wouldn't say it haunts me or keeps me up at night, but all things being equal I'd rather have been doing a risk assessment or design doc.

Kelly Keeton said...

I remember mine, but it was so bad you felt good taking them down. I still had to deal with it however.

On a side note if you feel like a Rat, check if you have a tail. It might not be a rat tail but a pig tail in that case you just have swine flu.

This also sounds like a chapter of Heidi Geek.

miss you ray:)

Jennifer said...

I'm not in the security area of IT but in my IT days, I can share that I got a frantic phone call one day from a close friend asking me how he can remove all his browser history because his IT team had reported his excessive use viewing P0rn sites at work.

It doesn't matter if I helped him or not because shortly after that he got caught with his pants down, literally, looking at naught sites. Some people never learn!

By the way, I'd love to republish your article to over 30,000 IT professionals. Let me know if you will allow me to do so.

Cheers -