The Breach is Coming from Inside the House: Employee Turnover and Security

March 8, 2018

 

As unpleasant as it is for both parties involved, employee turnover is a fact of life, especially in IT.

 

The Security Risk of Turnover

Former employees represent a significant risk to your company no matter how they left. You can probably think of a few reasons why off the top of your head.

For one, there's the problem of shared passwords. If there's a service that more than one of your employees access with the same profile, their shared credentials become a major hole in your security when one employee is dismissed.

Most businesses have recognized that risk and mitigated it by changing any shared passwords when an employee leaves and deactivating the former employee's password manager, if they used one.

But passwords, as always, aren't the only way to crack into a system.

A disgruntled employee upset at their departure could take advantage of skeletons in their former employer's closet. Think about vulnerabilities, mis-configurations, or compromising evidence that the former employee knows about. That information is in their head, not protected by a password that can be changed.

Plus, if their departure marked the end of a pattern of discontent, the employee could have left themselves a backdoor to the environment. That backdoor could be a technological one or a personal one — as in, a friend at the company who would be willing to let them back in.

Take it from a California physical security firm that was awarded more than $300k in damages after a disgruntled former employee hacked its systems, deleted important business files, and posted an unflattering picture of the company's founder on its website. The employee gained remote access to these systems after his firing with administrative credentials he wasn't supposed to have. Read the full story here.

 

Protect Yourself

You can significantly mitigate your risk of a former employee causing a data breach by:

 

  • Developing a plan to make it easier to change shared passwords, such as a "built-in administrator" account or wireless network.

  • Increasing monitoring of remote access, administrative account creation, and data leakage solutions when you consider dismissing an employee.

  • Alerting employees to any departures and requesting that they report any attempts to communicate with them.

 

Doing it Right

 

Once on a physical penetration testing engagement, I was attempting to gain access to a sensitive area of the facility using an RFID utility called "proxbrute." This utility, as the name indicates, attempts to open a door by brute force, cycling through many potential signatures in a short amount of time. The goal is to reach the signature of an employee with access to the door.

In the middle of my testing, a security guard came running around a corner in a panic. Turns out that the utility had hit upon the RFID signature of a recently terminated employee, and the company's monitoring system had gone off. It looked like the former employee was attempting to access the sensitive area.

Fortunately, I was able to de-escalate the situation before getting arrested, and the impressive response of the security team made it into the report of the engagement.

 

Like what you read? Want to get notified when I post? Subscribe to the email list.

 

 

 

Tags:

Share on Facebook
Share on Twitter
Please reload

Featured Posts

On the Road: OSINT-CTF at DerbyCon IX

October 29, 2019

1/10
Please reload

Recent Posts
Please reload

Archive
Please reload

Search By Tags