Out-of-Office Messages are a Security Risk

Every once in a while I get asked why I don’t have an out-of-office message for my email or voice mail. Truth is, I’ll often monitor my email even when I’m out, though I often practice good operations discipline by not responding. Just as intermittent problems with computer systems are hard to deal with, a staff member that’s supposed to be gone but isn’t acting like it is just as confusing. Humans can, and should, drain-stop and remove themselves from clusters for maintenance, too.

Sometimes I’m really out of the office, though, crawling around in the backcountry wilderness or on an island somewhere. I’ll do it if I have to, but even then I don’t like setting an automatic response. There’s no way to do it that doesn’t leak information to a would-be attacker.

I’m out of the office. I’m saying that, just like my email, I’m probably not watching my computers or accounts closely so now is a good time to drain my bank accounts, install malware on my PCs, and social engineer my coworkers.

I’m gone between dates X and Y. You’ve got that long to defeat my security without any active opposition from me. The length of time also speaks to whether I’ve traveled somewhere, and they can break into my house unnoticed. This could cause evidence of a break-in, like fingerprints, to degrade, as well as allow for secondary damage, like rain coming in a broken window. If I’m the only one traveling this may also endanger others still at home in my house.

I’m hiking the Inca Trail to Machu Picchu. I gave it away, and on top of it I’m bragging, too. To quote Peter Quill from Guardians of the Galaxy, “what an a-hole.”

Contact somebodyelse@company.com with urgent needs. They now know more about the team structure and can do some social engineering. “Before he left Bob told me you could give me get an account on system X.” Plus you’re unfairly burdening someone else, and forcing people to make value judgments about urgency, too.

You might be saying “Bob, you’re nuts. I don’t have would-be attackers, I have customers.” I’ll agree with you, but I’ll also say that it isn’t like an attacker is going to advertise themselves. It’s a fine line. Use your head.

• Set the autoresponse to the smallest group possible. In many cases you can narrow it down to coworkers, and/or have a different message for people inside your organization than outside your organization.
• Only reply to messages that address you specifically in the To: or Cc: field, and only reply to the original sender. This helps prevent loops and extra email.
• Only reply once a day per person. Chances are they can remember that for a few hours.
• Test it by sending yourself some email from a different account.
• Don’t tell people anything more than they need to know. Does everybody really need to know where you’ve gone and how long? Probably not. You’re just gone.
• Recommend standardized alternatives if you have them, like “Please contact our Help Desk” or “Email the team list.” The personal relationship you have with your customers may not extend to others on your team, so don’t make assumptions. Besides, with you gone the team may be understaffed and dealing with personal, one-off requests will strain both them and the customer.
• Make sure the team knows that just because someone says you said something doesn’t mean you actually did. Always evaluate every request independently. “Sorry, Bob is out, who is your manager? I need to call and have them email me authorization for this so we have a record of it.” Don’t be afraid to put something on hold until you get written confirmation. If it’s as urgent as they say they’ll find a VP or a C-level to clue you in. If you get any static from those VIPs don’t get flustered, be polite and tell them that it’s standard security practice to corroborate requests. Would you give keys to your house to random people who knocked on your door? No, no you wouldn’t.
• If you’re gone be gone. I understand the urge to help, especially if you are watching your email and it looks like something bad is happening. Don’t reply, work through a team member. “Hey Joe, I just saw that email about system A that’s broken. I’m not going to do anything here because I just found some WiFi and checked my email, but if I were there I might look at X or Y first, that’s what the problem has been in the past. Good luck.” Do you want to ruin your vacation by having to own and work a problem? I bet not. Let the people at home handle it.
• Tell the team to make a list of anything they have trouble with because you were gone. Don’t take any of it personally, this is a great opportunity for cross-training and documentation if you don’t have it. Banks often have a policy that people in sensitive positions be gone for at least two consecutive weeks to expose fraud and embezzling, among other things. Given the Internet it’s hard to cut a sysadmin off like that, but at least you can use it as a way to find gaps in processes and documentation.

If you are a manager of people I implore you to enforce the “if you’re gone be gone” policy with your team. Studies increasingly show that people need downtime as well as balance in their lives. Setting an example of this behavior, as well as being serious about the “we’ve got this” attitude while folks are gone, is important. Especially with the “Brents” of the world, if you’ve read The Phoenix Project.

And yeah, maybe it will stink with them away, but then you know what the team needs to work on.

Good luck!