Thursday, October 3, 2024

Former Employees Threaten Network Security

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Think your network is secure if you’re able to fend off the ever-growing barrage of hackers? Think it’s even

safer if you monitor employees to make sure they’re not up to no good?

Industry analysts say you probably do. But they also say that you’re most likely wrong.

Of course hackers and employees are the source of a lot of security threats. What many IT and security

administrators fail to account for, though, is the severity of the threat coming from former employees. That’s

right… all those people who used to work for the company, accessing databases and critical financial and

personnel information are out there now with all of that intimate information about the network. And making

it that much worse is the fact that IT often fails to shut down all of their access points.

That means people who might have an axe to grind with the company or who might be working for a

competitor now have critical knowledge about and access to your network.

”Someone with inside knowledge is going to be able to do more harm than your standard run of the mill

hacker,” says Eric Maiwald, a senior analyst with the Burton Group, an industry analyst firm based in Salt

Lake City, Utah. ”We know that the majority of harm, at least things that cost a lot of money, occur because

of insiders. If they have the same access as before, they have motive, means and opportunity.”

And according to a 2005 survey done by the U.S. Secret Service in conjunction with CERT, more former

employees than most might imagine are taking advantage of that opportunity.

The survey shows that of the insiders who cause security breaches, 59 percent were former employees or

former contractors. Of those, 48 percent had been fired, 38 percent had resigned and 7 percent had been

laid off.

And the survey also shows that the people with the most knowledge about the network — the IT

professionals — can be a significant threat once they leave the company.

Most of the former employees who broke into the corporate networks had been employed full-time in a

technical position, according to the study. Thirty-eight percent were system administrators, while

programmers made up 21 percent; engineers made up 14 percent and IT specialists made up another 14

percent. The survey also showed that 10 percent were from professional positions, such as editors,

managers and auditors.

Knowledge Can be a Dangerous Thing

”Think about the amount of time it would take for them to access the data,” says Gary Shah, network

engineer for Edison, N.J.-based NaviSys, Inc., a software development firm. ”They know the location of the

data. After gaining access to the system, the amount of time it would take them to get to the data would be

insignificant compared to an outside hacker who would have to make his way through the system to find

where the information is.”

Shah says the risk always increases if the person was fired or laid off, as opposed to leaving willingly for a

different or better job. Anger or resentment can be powerful emotions that lead people to doing things they

wouldn’t normally even consider. And it also may make them less fearful of being caught or prosecuted.

Nelson Cicchitto, chairman and chief executive officer of Avatier Corp., a San Ramon, Calif.-based

company that focuses on identity and access management solutions, says there are many ways for

someone to either take revenge on or take advantage of a former employer.

”They could take the corporate address book and they could give that to hackers so they could drive

individual employees and target them specifically,” says Cicchitto. ”If they [had worked] in finance, they

could post people’s salaries on the Internet. If they worked for a credit card company, they would have

knowledge about how to get to customer information. They could sell that information to competitive

companies and if they still have access, they could get to that data themselves.”

And now companies are under the gun even more to cut off any stray points of access that are still

lingering on their networks. Sarbanes-Oxley, the federal law focusing on public company accounting

reform, calls for the removal of access once an employee has left the company, according to Cicchitto.

”An auditor can come into your organization and say ‘This person had access to payroll but now she’s in

HR.’ The auditor can request a look back, and people in the company need to go back and see what was

accessed in the accounting files after she left that department. How was that ID used once she left the

department? If it was used, was any data modified? If she did, then that could be grounds for firing.

”Think of the amount of work that a large organization would have to do to figure out what was done with an

account after someone was terminated,” he adds. ”The smart thing is to terminate that account

immediately and then you can show the auditor that the account was immediately disabled.”

Removing Access

But users and analysts alike say it’s much more simple to say that access simply needs to be shut down

than actually getting every single access point closed up within a reasonable amount of time.

Cicchitto says the biggest part of the problem is that generally one person is not in charge of all the access

points. Getting the shut-down request to a long string of people can be cumbersome — and often not even

thought of — if a process isn’t already in place.

”You have email within this company but the mail administrator is not necessarily the same person who

manages passwords and access,” he explains. ”When you disable logon permissions, it does not

automatically disable the mail. You usually have to go in and hide the mailbox. Now we’re up to two

different people. Now let’s look at access to files and printers. The people who manage that aren’t

necessarily the same as the other two people.”

Neal Creighton, chief executive officer of GeoTrust, Inc., a major digital certificate provider based out of

Needham, Mass., says it’s a complicated process that needs to start out with the people in HR and move

down through several layers of IT. To make that kind of process work, steps need to be thought out and

laid in place, and automating it would be even better.

”It’s the amount of bandwidth it takes — the amount of time it takes to get this kind of thing done,” says

Creighton. ”The more automated you can make things, the better off you’re going to be. If it requires

people to go through and change permissions, it’s going to be harder. But if someone in HR makes a

change and it runs down through the software that takes care of access, that’s much more efficient. In large

organizations, there’s an awful lot of comings and goings to take care of.”

The Burton Group’s Maiwald says timing is everything.

How soon should access be shut down? Should it be shut down before someone is given the axe or a pink

slip? If a worker resigns, how soon should her email account and other accounts be shut down?

They’re all good questions, according to Maiwald, but none of them have cut-and-dry answers. ”It’s easy to

say but I would like to see it done within 24 hours,” he adds. ”Reality intrudes, though, and it turns into… it

needs to be done as soon as it can. Because it takes time to do these things, and it may take longer than

you would wish. Ideally, if you knew the employee was leaving on the 15th, then I’d have it set up ahead of

time so on that day he’d no longer have access. If you’re terminating that employee, one of the stops on the

way to his office is to the administrator to shut off his access.”

It gets tricky when executives don’t want someone to get any warning signs that he’s being fired. If access

starts to shut down, it’s going to tip him off that something is going on. But that concern has to be weighed

with the need to have access terminated before he gets home that day — angry, most likely — and tries to

see if he can still get onto the company network.

And if the person being let go is in IT, then the stakes are that much higher, Maiwald notes.

”If you are laying off or terminating people who have administrative access, now you have a much larger

job,” Maiwald says. ”You’re changing system logins and route passwords and administrative passwords

for things like routers and switches and that becomes much more difficult.”

Subscribe to Data Insider

Learn the latest news and best practices about data science, big data analytics, artificial intelligence, data security, and more.

Similar articles

Get the Free Newsletter!

Subscribe to Data Insider for top news, trends & analysis

Latest Articles