Former Employees Threaten Network Security
March 30, 2006
All those people who used to work for the company, accessing databases and critical financial and personnel files, pose a significant threat to the corporate network.
Industry analysts say you probably do. But they also say that you're most likely wrong.
Of course hackers and employees are the source of a lot of security threats. What many IT and security administrators fail to account for, though, is the severity of the threat coming from former employees. That's right... all those people who used to work for the company, accessing databases and critical financial and personnel information are out there now with all of that intimate information about the network. And making it that much worse is the fact that IT often fails to shut down all of their access points.
That means people who might have an axe to grind with the company or who might be working for a competitor now have critical knowledge about and access to your network.
And according to a 2005 survey done by the U.S. Secret Service in conjunction with CERT, more former employees than most might imagine are taking advantage of that opportunity.
The survey shows that of the insiders who cause security breaches, 59 percent were former employees or former contractors. Of those, 48 percent had been fired, 38 percent had resigned and 7 percent had been laid off.
And the survey also shows that the people with the most knowledge about the network -- the IT professionals -- can be a significant threat once they leave the company.
Most of the former employees who broke into the corporate networks had been employed full-time in a technical position, according to the study. Thirty-eight percent were system administrators, while programmers made up 21 percent; engineers made up 14 percent and IT specialists made up another 14 percent. The survey also showed that 10 percent were from professional positions, such as editors, managers and auditors.
Knowledge Can be a Dangerous Thing
''Think about the amount of time it would take for them to access the data,'' says Gary Shah, network engineer for Edison, N.J.-based NaviSys, Inc., a software development firm. ''They know the location of the data. After gaining access to the system, the amount of time it would take them to get to the data would be insignificant compared to an outside hacker who would have to make his way through the system to find where the information is.''
Shah says the risk always increases if the person was fired or laid off, as opposed to leaving willingly for a different or better job. Anger or resentment can be powerful emotions that lead people to doing things they wouldn't normally even consider. And it also may make them less fearful of being caught or prosecuted.
Nelson Cicchitto, chairman and chief executive officer of Avatier Corp., a San Ramon, Calif.-based company that focuses on identity and access management solutions, says there are many ways for someone to either take revenge on or take advantage of a former employer.
''They could take the corporate address book and they could give that to hackers so they could drive individual employees and target them specifically,'' says Cicchitto. ''If they [had worked] in finance, they could post people's salaries on the Internet. If they worked for a credit card company, they would have knowledge about how to get to customer information. They could sell that information to competitive companies and if they still have access, they could get to that data themselves.''
And now companies are under the gun even more to cut off any stray points of access that are still lingering on their networks. Sarbanes-Oxley, the federal law focusing on public company accounting reform, calls for the removal of access once an employee has left the company, according to Cicchitto.
''An auditor can come into your organization and say 'This person had access to payroll but now she's in HR.' The auditor can request a look back, and people in the company need to go back and see what was accessed in the accounting files after she left that department. How was that ID used once she left the department? If it was used, was any data modified? If she did, then that could be grounds for firing.
''Think of the amount of work that a large organization would have to do to figure out what was done with an account after someone was terminated,'' he adds. ''The smart thing is to terminate that account immediately and then you can show the auditor that the account was immediately disabled.''
But users and analysts alike say it's much more simple to say that access simply needs to be shut down than actually getting every single access point closed up within a reasonable amount of time.
Cicchitto says the biggest part of the problem is that generally one person is not in charge of all the access points. Getting the shut-down request to a long string of people can be cumbersome -- and often not even thought of -- if a process isn't already in place.
''You have email within this company but the mail administrator is not necessarily the same person who manages passwords and access,'' he explains. ''When you disable logon permissions, it does not automatically disable the mail. You usually have to go in and hide the mailbox. Now we're up to two different people. Now let's look at access to files and printers. The people who manage that aren't necessarily the same as the other two people.''
Neal Creighton, chief executive officer of GeoTrust, Inc., a major digital certificate provider based out of Needham, Mass., says it's a complicated process that needs to start out with the people in HR and move down through several layers of IT. To make that kind of process work, steps need to be thought out and laid in place, and automating it would be even better.
''It's the amount of bandwidth it takes -- the amount of time it takes to get this kind of thing done,'' says Creighton. ''The more automated you can make things, the better off you're going to be. If it requires people to go through and change permissions, it's going to be harder. But if someone in HR makes a change and it runs down through the software that takes care of access, that's much more efficient. In large organizations, there's an awful lot of comings and goings to take care of.''
The Burton Group's Maiwald says timing is everything.
How soon should access be shut down? Should it be shut down before someone is given the axe or a pink slip? If a worker resigns, how soon should her email account and other accounts be shut down?
They're all good questions, according to Maiwald, but none of them have cut-and-dry answers. ''It's easy to say but I would like to see it done within 24 hours,'' he adds. ''Reality intrudes, though, and it turns into... it needs to be done as soon as it can. Because it takes time to do these things, and it may take longer than you would wish. Ideally, if you knew the employee was leaving on the 15th, then I'd have it set up ahead of time so on that day he'd no longer have access. If you're terminating that employee, one of the stops on the way to his office is to the administrator to shut off his access.''
It gets tricky when executives don't want someone to get any warning signs that he's being fired. If access starts to shut down, it's going to tip him off that something is going on. But that concern has to be weighed with the need to have access terminated before he gets home that day -- angry, most likely -- and tries to see if he can still get onto the company network.
And if the person being let go is in IT, then the stakes are that much higher, Maiwald notes.
''If you are laying off or terminating people who have administrative access, now you have a much larger job,'' Maiwald says. ''You're changing system logins and route passwords and administrative passwords for things like routers and switches and that becomes much more difficult.''