Think your network is secure if you’re able to fend off the ever-growing barrage of hackers? Think it’s even
safer if you monitor employees to make sure they’re not up to no good?
Industry analysts say you probably do. But they also say that you’re most likely wrong.
Of course hackers and employees are the source of a lot of security threats. What many IT and security
administrators fail to account for, though, is the severity of the threat coming from former employees. That’s
right… all those people who used to work for the company, accessing databases and critical financial and
personnel information are out there now with all of that intimate information about the network. And making
it that much worse is the fact that IT often fails to shut down all of their access points.
That means people who might have an axe to grind with the company or who might be working for a
competitor now have critical knowledge about and access to your network.
”Someone with inside knowledge is going to be able to do more harm than your standard run of the mill
hacker,” says Eric Maiwald, a senior analyst with the Burton Group, an industry analyst firm based in Salt
Lake City, Utah. ”We know that the majority of harm, at least things that cost a lot of money, occur because
of insiders. If they have the same access as before, they have motive, means and opportunity.”
And according to a 2005 survey done by the U.S. Secret Service in conjunction with CERT, more former
employees than most might imagine are taking advantage of that opportunity.
The survey shows that of the insiders who cause security breaches, 59 percent were former employees or
former contractors. Of those, 48 percent had been fired, 38 percent had resigned and 7 percent had been
laid off.
And the survey also shows that the people with the most knowledge about the network — the IT
professionals — can be a significant threat once they leave the company.
Most of the former employees who broke into the corporate networks had been employed full-time in a
technical position, according to the study. Thirty-eight percent were system administrators, while
programmers made up 21 percent; engineers made up 14 percent and IT specialists made up another 14
percent. The survey also showed that 10 percent were from professional positions, such as editors,
managers and auditors.
Knowledge Can be a Dangerous Thing
”Think about the amount of time it would take for them to access the data,” says Gary Shah, network
engineer for Edison, N.J.-based NaviSys, Inc., a software development firm. ”They know the location of the
data. After gaining access to the system, the amount of time it would take them to get to the data would be
insignificant compared to an outside hacker who would have to make his way through the system to find
where the information is.”
Shah says the risk always increases if the person was fired or laid off, as opposed to leaving willingly for a
different or better job. Anger or resentment can be powerful emotions that lead people to doing things they
wouldn’t normally even consider. And it also may make them less fearful of being caught or prosecuted.
Nelson Cicchitto, chairman and chief executive officer of Avatier Corp., a San Ramon, Calif.-based
company that focuses on identity and access management solutions, says there are many ways for
someone to either take revenge on or take advantage of a former employer.
”They could take the corporate address book and they could give that to hackers so they could drive
individual employees and target them specifically,” says Cicchitto. ”If they [had worked] in finance, they
could post people’s salaries on the Internet. If they worked for a credit card company, they would have
knowledge about how to get to customer information. They could sell that information to competitive
companies and if they still have access, they could get to that data themselves.”
And now companies are under the gun even more to cut off any stray points of access that are still
lingering on their networks. Sarbanes-Oxley, the federal law focusing on public company accounting
reform, calls for the removal of access once an employee has left the company, according to Cicchitto.
”An auditor can come into your organization and say ‘This person had access to payroll but now she’s in
HR.’ The auditor can request a look back, and people in the company need to go back and see what was
accessed in the accounting files after she left that department. How was that ID used once she left the
department? If it was used, was any data modified? If she did, then that could be grounds for firing.
”Think of the amount of work that a large organization would have to do to figure out what was done with an
account after someone was terminated,” he adds. ”The smart thing is to terminate that account
immediately and then you can show the auditor that the account was immediately disabled.”
Removing Access
But users and analysts alike say it’s much more simple to say that access simply needs to be shut down
than actually getting every single access point closed up within a reasonable amount of time.
Cicchitto says the biggest part of the problem is that generally one person is not in charge of all the access
points. Getting the shut-down request to a long string of people can be cumbersome — and often not even
thought of — if a process isn’t already in place.
”You have email within this company but the mail administrator is not necessarily the same person who
manages passwords and access,” he explains. ”When you disable logon permissions, it does not
automatically disable the mail. You usually have to go in and hide the mailbox. Now we’re up to two
different people. Now let’s look at access to files and printers. The people who manage that aren’t
necessarily the same as the other two people.”
Neal Creighton, chief executive officer of GeoTrust, Inc., a major digital certificate provider based out of
Needham, Mass., says it’s a complicated process that needs to start out with the people in HR and move
down through several layers of IT. To make that kind of process work, steps need to be thought out and
laid in place, and automating it would be even better.
”It’s the amount of bandwidth it takes — the amount of time it takes to get this kind of thing done,” says
Creighton. ”The more automated you can make things, the better off you’re going to be. If it requires
people to go through and change permissions, it’s going to be harder. But if someone in HR makes a
change and it runs down through the software that takes care of access, that’s much more efficient. In large
organizations, there’s an awful lot of comings and goings to take care of.”
The Burton Group’s Maiwald says timing is everything.
How soon should access be shut down? Should it be shut down before someone is given the axe or a pink
slip? If a worker resigns, how soon should her email account and other accounts be shut down?
They’re all good questions, according to Maiwald, but none of them have cut-and-dry answers. ”It’s easy to
say but I would like to see it done within 24 hours,” he adds. ”Reality intrudes, though, and it turns into… it
needs to be done as soon as it can. Because it takes time to do these things, and it may take longer than
you would wish. Ideally, if you knew the employee was leaving on the 15th, then I’d have it set up ahead of
time so on that day he’d no longer have access. If you’re terminating that employee, one of the stops on the
way to his office is to the administrator to shut off his access.”
It gets tricky when executives don’t want someone to get any warning signs that he’s being fired. If access
starts to shut down, it’s going to tip him off that something is going on. But that concern has to be weighed
with the need to have access terminated before he gets home that day — angry, most likely — and tries to
see if he can still get onto the company network.
And if the person being let go is in IT, then the stakes are that much higher, Maiwald notes.
”If you are laying off or terminating people who have administrative access, now you have a much larger
job,” Maiwald says. ”You’re changing system logins and route passwords and administrative passwords
for things like routers and switches and that becomes much more difficult.”