Immersion Break (Thanks NIST)
Hey Demonites!(and Demonots)
Yours truly has been busy with studying for exams, taking care of his family for the holidays, and working on a super secret project for a certain someone. It’s been over a week since the last article, and while that’s happened before I hate to do it. So let’s get tongue-in-cheek with a very tiny slice of the pie I’ve been saddled with in regards to that certification I’m chasing, which is apropos of my personal situation. I’ll try to inject some humor into it, but it’s kinda dry. In any case, I could certainly use a…
Mandatory Vacation
Boy it sure has been a month for mandatory vacations hasn’t it? Everyone seems to be catching them these days. Tis the season for stress, short tempers, and hairbrained policy updates. What many of you may not know however, is that the mandatory vacation is an important tool in the arsenal of the security professional. One of the biggest threats to organizations large and small is the malicious insider. The potential for tangible and intangible losses are immense, whether you are running something like a hotdog stand, a secure government facility, or even highly sensitive critical operations like a discord server or fandom website. Risks include the entire CIA triad (Confidentiality, Integrity, and Availability). A malicious insider can steal your secrets, damage your data, and take down your services, and many times they will have the explicit permissions and access that allow them to do so.
While there are many controls you can put in place to mitigate the insider threat, such as separation of duties, least privilege, need-to-know, two-person controls, and job rotation, we’re going to focus on the mandatory vacation control, which is gaining popularity. NIST special publication 800-12 (10.2.3) covers some of the benefits of mandatory vacations in detecting unauthorized and illegal activities, but we’ll expand that scope to include the mutual benefits to all parties. For the purposes of this examination we are going to assume that the mandatory vacation is in the form of PTO. It wouldn’t exactly help morale to force someone to go a full week or more without pay. Might as well just fire them.
The Beast of Burden - Many organizations have employees that simply take on too much work and represent a single source of too much institutional knowledge. Many employees like to view themselves as someone that, if fired, would cause the whole organization to become significantly less functional or fall apart. The beast of burden is the real deal. Let’s call the beast of burden Bob, I like Bob. It is not a good idea to allow a team member to become Bob. They could do too much damage if they became a malicious insider—indeed, doing too much work and being leaned on too hard can create the feelings of resentment that could cause them to become malicious—but they also may just develop illness, or get hit by a bus. When Bob leaves the organization, everyone feels it. A mandatory vacation policy is great at detecting Bobs within your organization, as it directly dry-runs his sudden absence. You could notice that your social media metrics decrease drastically if Bob exists in your communications department. Tweeting is very important for society. This is an excellent opportunity to realize the need to hire on more help, or to scrutinize the contributions of members of Bob’s team. Bob also gets much needed time off that Bob rarely gets because Bob tends to take on too much willingly as part of his character, and Bob’s team members are usually happy to oblige.
Ton - Is a reference to the porky, abusive boss of the point-of-view character in the show Aggretsuko. Ton is aggressive, confrontational, bullies his staff, and pushes his duties off on them. Aside from the office brown noser, no one really likes Ton, and he acts as a boat anchor for his staff’s morale that they have to compensate for. Many organizations have a Ton in need of correction. The team member that takes over Ton’s duties during his mandatory vacation is in a prime position to discover this type of behavior. Personnel that replace managers as part of mandatory vacations should have at least some training in reading the room in matters of morale, and looking for tell tale behaviors in staff that appear when a Ton is in charge. Ton may already be a malicious insider, but his behavior is likely to build resentment in his team and can create one or more malicious insiders via their inappropriate management techniques. Use mandatory vacations to weed out Ton. Sometimes Ton can be corrected, and that helps a Ton.
Karen from HR - Karen is a term most of us are familiar with by now. This specific flavor of Karen is not the overtly confrontational and unhinged employee or customer, that tends to be Ton. Karen from HR is the employee that leverages her position of trust to spread rumors and manipulate or intimidate staff, usually both. Karen may actually be in HR, or have a social status that typically allows Karen to avoid scrutiny for these behaviors. Karen from HR is not a problem that can be wrangled with a single control, but a mandatory vacation is an important detective control that can reveal this behavior in the first place. Similar to Ton, behaviors Karen has gotten staff accustomed to doing may seem peculiar and out of place to her relief. Karen from HR is part of a much larger discussion around the dangers of allowing cultures of hearsay(rumor mills) in your organization, but that is out of scope. Suffice to say, that sipping tea as a corporate activity is very likely to create problems.
Illegal/Unauthorized Activities - During a mandatory vacation it is standard practice to evaluate and audit the activities of employees that have elevated privileges. So far we’ve talked about what may create a malicious insider via routes of morale reduction and resentment. This category is more directly harmful. One of the primary functions of a mandatory vacation is to provide a window for heavy auditing and scrutiny of employees in high positions of trust. When you talk about malicious insiders it’s easy to get the mental image of some deliberate infiltrator, and coorporate espionage does exist, sometimes it even takes the form of investigative journalism or eager volunteers. It is possible that some of your team members sought their position specifically to acquire and exfiltrate data or sabotage operations. Just like Karen, many administrative and technical controls are required to appropriately mitigate this threat, but the audits conducted during a mandatory vacation are an important discovery tool.
Echo Chambers - It should be noted that mandatory vacations do not entail simply letting work not be done. Someone has to take over the responsibilities of the missing team member. It is important that, whenever possible, an outsider is brought in to take over these responsibilities. One of these functions is essential cross training. What if Karen from HR is the only HR employee? That gives Karen a dangerous amount of power, but it is not uncommon to find smaller organizations who have an HR department that is just one person. Another function is to detect social networks that inhibit business goals. One of these social networks is the echo chamber. Echo chambers form when a team becomes too insulated physically or socially from the rest of the organization. This is incredibly common with IT staff, and if you’ve ever had an IT department that’s had an attitude that suggests they think the organization would be better off without ‘users’, you’ve encountered this. Echo chambers, when left unchecked, can adopt goals that are not in line with or are even counter to organizational business goals. They become self interested, spending organizational resources for their own gain. Outsiders brought into these echo chambers will find them quickly. Members of an echo chamber are frequently unaware they’re in one and will readily share their outlooks with a new face.
Bennies - It should be obvious by this point how mandatory vacations can be a powerful tool in detecting misbehavior, but sometimes your team members just need to recharge their batteries, recover or avoid burnout, have extra time for their hobbies and families, and so on. Mandatory time off can be and should be included in a summary of employee compensation. It will take longer to audit employees in positions of trust, and they tend to be paid more, it isn’t unreasonable to give them longer mandatory vacations. Current guidelines suggest that a week is the minimum sufficient time for a mandatory vacation to achieve the benefits described here.
I’m going to go enjoy my mandatory vacation now. There is not a single bit I won’t lean into. o7.
