Don't Let Malware Hit You on the Way Out

Written by

When it comes to the threat of data breach, it’s well known that current employees can be an organization’s weakest link. What about former employees? So many companies have strict new hire processes in place to onboard new employees, but there’s still a lot of work left to do when it comes to ‘offboarding’.

The problem is that many enterprises have not adapted to the changing role of the IT organization. It’s no longer just security personnel that need to leave the company with “clean hands” – modern-day system administration has evolved to the point where almost every role has a cybersecurity component – and, unfortunately, many organizations have not kept up. In fact, the Verizon DBIR 2016 report shows that nearly eight per cent of data breaches are caused by disgruntled or former employees.

It would seem that the risk of data breaches caused by privileged personnel depends on how and why the employee left the company. Leaving on good terms? Great, let’s wash those hands together. Plan on firing someone? You should probably take a few extra precautions to secure the perimeter.

If an organization plans on firing an IT employee, it should perform a data review and revoke all access prior to termination. As exhibited in an attempted Fannie Mae hack, it only takes minutes to perform irreversible harm. Just two hours prior to returning his laptop, a terminated Unix engineer accessed a Fannie Mae server and embedded malware that was set to destroy data on all the company servers.

Unfortunately, it’s not always the case that an employee needs to be terminated in order to pose a cybersecurity threat. Take for example, the story of Michael Leeper who held a senior technology role at Columbia Sportswear before leaving to become CTO at Denali Advanced Integration. Prior to his departure, Leeper created backdoor accounts which left him with access to the company’s VPN and VDI connections. He used these accounts to help gain an advantage in his dealings between Denali and Columbia. When the data breach was discovered, Leeper was immediately fired from Denali and taken to court.

A former colleague, who was a senior IT engineer at a PE firm and held domain admin rights, recently left his job for a role at a competitor firm. On his last day, his manager followed the standard protocol, first changing his password, then moving his account to an Active Directory OU called “To Be Deprecated”, removing him from all groups and revoking his RSA token. His manager then wiped his mobile phone and performed a final data review, prior to disabling his account and removing his mailbox. Sounds pretty secure, right?

Wrong. The cybersecurity risk here lies in the fact that this engineer once had access to every Active Directory account, so he knows the usernames and passwords for privileged system accounts (which shouldn't have remote access but you never know). While the likelihood of him doing anything with this information is miniscule, it’s probably not a bad idea to change any static passwords for service accounts once a member of the IT team leaves. Also, if you have a system auditing tool in place, it’s a good idea to review any changes the employee might have made prior to leaving the company.

Rest assured, if your company has a thorough, secure departure day procedure and strong password reset policy in place, it’s very possible that you won’t have to worry about a data breach caused by a former employee. So why take chances? It’s about time that enterprises adapt to the changing role of the IT organization and secure their offboarding processes.

Let’s all hope that Denali was a little more rigorous than Columbia Sportswear in ensuring that, this time around, Leeper left the company with “clean hands”.

What’s hot on Infosecurity Magazine?