{"id":1311,"date":"2024-09-22T16:54:59","date_gmt":"2024-09-22T16:54:59","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=1311"},"modified":"2024-10-19T13:12:49","modified_gmt":"2024-10-19T13:12:49","slug":"deprovision-credential-or-risk-ex-employee-sabotage","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/deprovision-credential-or-risk-ex-employee-sabotage\/","title":{"rendered":"Deprovision credential or risk ex-employee sabotage"},"content":{"rendered":"<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img decoding=\"async\" width=\"150\" height=\"150\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/Carelessness_is_sabotage-1-150x150-1.webp\" alt=\"Carelessness_is_sabotage\" class=\"wp-image-1312\" style=\"width:426px;height:auto\"\/><\/figure>\n<\/div>\n\n\n<p>In cybersecurity, so much attention is given to threats originating from outside a business, it\u2019s easy to forget the \u2018devil you know\u2019 \u2013 employees gone rogue. These cases, perpetrated by someone an organization knows and trusts, are known as \u2018insider attacks\u2019. The most high-profile example of such an attack is easily Edward Snowden\u2019s exfiltration of NSA documents detailing US surveillance programs \u2013 &nbsp;and we all know how that has played out.<\/p>\n\n\n\n<p>Insider attacks can be devastating, particularly if the employee worked in IT, as the culprit is using legitimate log in credentials with wide access across the business environment, including to its intellectual property, finances, customer information, critical systems, etc. This unfettered access, when coupled with the technical skills to cover up tracks, can bring a business to its knees. &nbsp;&nbsp;<\/p>\n\n\n\n<p>The motivations behind an insider attack are varied. Whether for financial gain, whistle blower activism, or blackmail, the result is the same \u2013 your business had a blind spot and that\u2019s been used against you.&nbsp;<\/p>\n\n\n\n<p>This post will focus on one particular variant of insider attack because it is not only the most devastating, but it is also the easiest to mitigate: Ex-employee sabotage.<\/p>\n\n\n\n<p>Unfortunately, not every parting of ways is amicable. If an employee has been fired, they may harbor feelings of resentment and a thirst for revenge. Now, you would think once an employee has left an organization that their user credentials would be deleted. In a perfect world, this would be the case, however due to a disconnect between HR and IT, this doesn\u2019t always happen. &nbsp; &nbsp;<\/p>\n\n\n\n<p>A <a href=\"https:\/\/www.onelogin.com\/company\/press\/press-releases\/new-research-from-onelogin-finds-over-50-of-ex-employees-still-have-access-to-corporate-applications\" target=\"_blank\" rel=\"noopener\">recent survey<\/a> of 500 US companies found almost 50 per cent of the businesses knew of former employees that still had network access. In fact, the same survey found that 20 per cent of businesses had suffered a data breach as a direct result of the failure to deprovision log-in details.&nbsp;<\/p>\n\n\n\n<p>In the past few years there have been multiple cases of aggrieved ex-employees using their old access credentials to sabotage their previous employers. This mix of insider knowledge, unfettered access and lust for revenge is a potent combination. Not only does the attacker know your processes and how best to disrupt them, they have the means and desire to do so.&nbsp;<\/p>\n\n\n\n<p>Making matter worse, if they worked in IT they may have the ability to set up backdoors using new accounts or system accounts with full remote VPN access. By doing so, they can maintain access almost indefinitely, and can cause serious damage if they choose to do so.<\/p>\n\n\n\n<p>This happened in 2015 when an ex-employee of Smart Online Inc. deleted much of the company\u2019s <a href=\"https:\/\/www.justice.gov\/opa\/pr\/information-technology-manager-pleads-guilty-sending-damaging-computer-code-former-company-s\" target=\"_blank\" rel=\"noopener\">intellectual property<\/a> after leaving the organization. Again, in 2016, several days after the<a href=\"https:\/\/www.justice.gov\/usao-mdla\/pr\/former-systems-administrator-convicted-hacking-industrial-facility-computer-system\" target=\"_blank\" rel=\"noopener\"> termination of his employment<\/a>, a systems administrator for a large manufacturing company remotely accessed the plant\u2019s computer system and transmitted code and commands which resulted in significant damage to the plant\u2019s operations.&nbsp;<\/p>\n\n\n\n<p>These examples show that while processes are in place to provision new employees, deprovisioning ex-employees isn\u2019t as high a priority. The HR and IT departments must communicate, and policies need to be in place to mitigate the risk of ex-employee sabotage.<\/p>\n\n\n\n<p>If you\u2019re reading this post now and are a business decision maker, ask yourself if deprovisioning employee access is baked into your policies. If the answer is \u201cno\u201d, or you don\u2019t know the answer, I\u2019d suggest either a rapid rethink of internal policies or immediate calls to HR and IT.&nbsp;<\/p>\n\n\n\n<p>While the saying goes its \u201cbetter the devil you know\u201d, these are the devils that know how to hurt you the most.<br><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In cybersecurity, so much attention is given to threats originating from outside a business, it&rsquo;s easy to forget the &lsquo;devil you know&rsquo; &ndash; employees gone rogue. These cases, perpetrated by someone an organization knows and trusts, are known as &lsquo;insider attacks&rsquo;. The most high-profile example of such an attack is easily Edward Snowden&rsquo;s exfiltration of [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1312,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-1311","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1311","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=1311"}],"version-history":[{"count":2,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1311\/revisions"}],"predecessor-version":[{"id":3703,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1311\/revisions\/3703"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/1312"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=1311"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=1311"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=1311"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}