Clean Break: Block Ex-Employees' AccessTrack All Joining, Moving and Leaving Activity - Or Else, Experts Warn
When an employee exits the organization, it's essential to make sure their access rights don't go with them.
Too often, however, organizations fail to keep track of what individuals have access to while employed - or to monitor and refine that access as necessary. As a result, they're at greater risk of failing to spot malicious activity by insiders or former insiders who might still be accessing corporate resources.
"Unfortunately this is still a common issue," says information security expert Brian Honan, who heads Dublin-based BH Consulting. "Many companies leave ex-employee's accounts active in case they need to access something within the account, rather than take the time to manage the leaving of the employee in a more secure manner."
Examples abound, including Chelsea Manning, the former U.S. Army private who was found guilty of accessing information she wasn't authorized to view via the Defense Department's Siprnet network and leaking the classified data to WikiLeaks. Likewise, Edward Snowden, the former National Security Agency contractor, reportedly tricked a civilian NSA employee into entering his public key infrastructure password into Snowden's system, in violation of NSA security rules. "Unbeknownst to the civilian, Mr. Snowden was able to capture the password, allowing him even greater access to classified information," according to a February 2014 NSA memo.
Too Much Access
Or take Jérôme Kerviel, the 31-year-old French trader who was convicted of causing losses of €4.9 billion (then worth $7.2 billion) in 2008 at banking giant Société Générale, after gambling €50 billion (worth $73 billion) of the bank's money on trades that the bank allegedly didn't know about.
David Stubley, CEO of the security consultancy 7 Elements, based in Edinburgh, Scotland, says part of the problem was that Kerviel's previous access rights at the bank hadn't been curtailed. "Basically he held a back-office role prior to becoming a trader and used this legacy level of privileged access to hide his activity," he says. "Clearly on moving roles his level of access should have been reviewed and any privileged access removed and aligned to the requirements of the new post."
Kerviel was convicted of computer fraud, forgery and breach of trust in 2010 and served a three-year sentence, losing an appeal to have the conviction overturned. But last year, a court ruled that instead of having to repay the amount he'd lost, he would only owe the bank €1 million ($1.1 million).
Large businesses aren't the only entities at risk. This month, Jason Needham, 45, the co-owner of a small engineering firm in Arlington, Tennessee, pleaded guilty in federal court to snooping on his former employer - now competitor - for two years (see Former Employee Kept Accessing Engineering Firm's Servers).
Needham "admitted to accessing, on hundreds of occasions, the email account of a former colleague," through which he gained access credentials that allowed him to spy on the firm's rival bids and other sensitive information, prosecutors say. It's not yet clear how Needham was able to access the account.
Watch for Reused Credentials
Unfortunately, it's not always easy to tell when someone has either loaned out or lost control of their access credentials.
"Understanding when employees have shared credentials can be tricky, as it's not as if each computer has a camera that can be used to verify their actual identity," says CEO Jamie Graves of Edinburgh-based cybersecurity software vendor ZoneFox. "However, there are ways in which you can get an indication of when this type of activity has occurred."
Creating a baseline - defining what normal behavior looks like, including logins - is key so that any anomalies can be flagged, he says.
"We helped an automotive engineering company where their entire team of engineers has shared the domain admin password," he says. "We were able to figure this out by monitoring how and where this account was being used. The fact that it was used on multiple systems at the same time, along with really odd patterns of login and logout activities, tipped us off. In addition, we could see individuals turning off key services and security controls and accessing areas outwith their department or area of concern."
Honan, who serves as a cybersecurity adviser to the EU's law enforcement intelligence agency, Europol, says that monitoring systems should be able to correlate when an employee's account is being used to log in, even if they're on vacation, out sick or using a device they would not normally use. Regular password changes can also help block credential reuse, he says, but stronger measures are often required.
"For sensitive accounts, such as administrator accounts, companies should look at implementing two-factor authentication solutions," he says.
Track: Joiners, Movers, Leavers
As with so many aspects of information security, planning ahead is essential, as is regularly reviewing the accuracy of documentation.
"One of the core control areas here would be organizations having an effective 'joiners, movers and leavers' - often abbreviated to JML - policy and underlying process in place," says Stubley at 7 Elements. "This should capture the removal of access rights as part of the leavers process, but an often missed component is reviewing and adjusting the level of access that an employee has when moving roles internally."
Honan offers additional advice: "We recommend that clients maintain a list of all systems that an employee has access to and the levels of access they have. Also, a list of what devices they have should be maintained, particularly any items such as two-factor authentication devices, keys or swipe cards to company premises, and mobile devices."
Such a list must be kept updated. When an employee voluntarily leaves - or gets fired - the list then comes into play so that administrators can immediately revoke the individual's access to all systems they manage. Honan says all of the employee's remote or mobile devices should also be retrieved or else remotely wiped, for example, via mobile device management tools.
Don't Forget Physical Security
Also don't forget physical security concerns, Honan says. "Organizations should consider whether they need to change the PIN codes for alarm systems or other physical security controls, and the reception desk should be informed when an employee has finished their employment and should not be allowed back into the premises unescorted."
It's easy for an employee to leave an organization. But unless everyone else in the organization who administers systems and the physical premises reacts correctly, the ex-employee might still be able to find their way back in.