The security threat when the insider gets outside

The security threat when the insider gets outside

Summary: On my desk at home I have two VPN key fobs to jobs I no longer have. I don't even know if they work, but they're sitting there. And I'm not alone.

SHARE:
TOPICS: Security, CXO
12

On my desk at home I have two VPN key fobs to jobs I no longer have. I don't even know if they work, but they're sitting there.

At every job I ever held featured dozens of accounts, log-ins, passwords and secret decoder rings, many of which walked out the door with me and most of which remain active. We also used dozens of productivity and collaboration tools, which we set up ourselves outside the scope of the IT department, but nonetheless hold critical and proprietary data.

Luckily for my current and former employers I'm a nice guy with no motivation to cause them harm. I'm also a cautious guy who doesn't leave network doors open and unattended. I'm also a guy with low access. Aside from CMS access, which leaves me capable of taking down a  Web site, I don't hold an IT position and was never permitted access to critical systems or data troves. Of course those critical systems are better protected from former employees with continued network access. Yes, but barely, according to a survey of 1,000 IT pros conducted by security vendor Quest Software and Harris Interactive of security policies affecting employees.

Among the survey findings, 51 percent of IT policy makers said they were concerned about insider threats to network security in their company's current infrastructure. A greater threat however might be the former insider - now on the outside, but with insider access and familiarity.

From the report, The Current State of Identity Management:

  • One in 10 IT pros admitted they have accounts from previous jobs, from which they can still access systems even though they've left the organization.
  • 52 percent of employees admit that they've shared their work log-ins and passwords with other co-workers, spouses and others.

Ten percent of your employees are walking away from their job with a handful of active network-access accounts and passwords as well as a handful of those shared by their colleagues.

Why? Quest, which makes identity management software, wants you to believe it is because the IT department can't manage the account provisioning and decommissioning for the dozens of accounts of dozens or hundreds or thousands of users. They're on to something there.

Consider these two colliding trends:

1. The average user in a 10,000-employee organization manages 14 separate logins and passwords. (ScriptLogic whitepaper: The Business Case for Desktop Authority Password Self-Service. )

Exacerbating  the  problem further  is the  fact that different teams within  IT often  have responsibility for password management on different systems. For example, typically Windows password  resets are handled  by the  Windows help  desk, a  relatively inexpensive  resource... The more systems, the more passwords, and the more people that must be involved...

Fourteen passwords x 10,000 employees = 140,000

2. The median tenure for an employee in the U.S. is 4.4 years. (Employee Tenure Summary, Bureau of Labor Statistics)

That means 35,000 passwords walk out the door every year at each of those 10,000-employee organizations. Turnover is expensive for IT departments.

Halfway there

Software like single-sign-on and identity management would be a help. So would the vigilance to target and decommission accounts and track down wayward key fobs. That would go a long way to protecting critical infrastructure.

But what about the data sitting on the dozens of providers in the cloud? The ones we set up without IT's involvement, maybe without their awareness.

If you count those systems, the average number of passwords employees use to do their job is probably greater then 14, and most of those are outside the domain of IT.

Everyday employees activate accounts for productivity and analytics systems in the Cloud without the support or awareness of IT. I have seen entire departments running a shadow operation on Google Docs, third-party marketing vendors and collaboration tools, where proprietary data sits in spreadsheets, presentations and other tools, available to anyone w/ the password, one IT had nothing to do with.

That shadow system won't take down your infrastructure, but the data breach could be just as damaging. Google last week announced it would launch two-step verification for its account-holders, but that does little to protect businesses from the inside-outsider with a password, access and, perhaps, a grudge or at the very least, less concern to protect the data.

Single sign-on is just a temporary solution. A step back from passwords all together is even better, and probably inevitable. The Departmenr of commerce is backing a security system for online identity checks that relies on a single-signon program as well as tokens, smart cards and biometrics to verify and approve access.

Passwords don't provide good security because most people choose character combinations that are easily hacked. A universal standard that requires some kind of device or a chip with encrypted data would keep consumer information safer while assuring companies they aren't being scammed, says Don Thibeau, chairman of the Open Identity Exchange, an industry group representing large tech companies such as Verizon , AT&T, Google, PayPal, and Symantec.

Ultimately, the security required to protect dispersed data from access by former insiders would require be a combination of software, policy and enforcement to ensure the IT department knows where the data sits and controls access. That maybe a stretch when insiders insist and the cloud increasingly permits, self-service.

Related content:

Topics: Security, CXO

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • It is a recognized problem.

    During the "great dying" when our company was laying off droves of people, we added extra IT staff to handle account disables and collecting laptops and desktops.

    But it didn't work. Management wanted to burn both ends of the candle: tell people they are being laid off, then letting them keep system access to "train their replacements" or do "knowledge sharing". Right. Needless to say, lots of passwords, critical docs, and whole databases (not to mention physical equipment) walked out the door once people knew they were laid off but still permitted access to systems and facilities.
    terry flores
    • RE: The security threat when the insider gets outside

      @terry flores Yeah... Managers don't really think these things through. Personally, I'd never do something like that because I have a conscience and I like to think I'm mostly a good person.
      snoop0x7b
  • RE: The security threat when the insider gets outside

    Our IT person got fired a few years ago under less than ideal circumstances. Talk about a nightmare!
    gibsonjunkie
  • RE: The security threat when the insider gets outside

    having handled several individual "high concern" cases like this, i know that on a 1:1 basis, it is possible to handle insuring company property, intellectual or physical, is appropriately protected... you start having problems keeping track long before it gets to 100:1, and it is impossible without well enforced policies beyond 100:1...<br><br>the concept of "training your replacement" also very very rarely works well in the event of a layoff or termination... the only case i'm aware of where it did work well was an employee leaving for a career change and this employee was paid triple to extend his stay and train his replacement before he left...
    erik.soderquist
    • RE: The security threat when the insider gets outside

      @erik.soderquist Replacement training is a theory managers hold that in practice proves to be incorrect 90% of the time.
      snoop0x7b
      • RE: The security threat when the insider gets outside

        @snoop0x7b

        agreed, i swear some of the managers i've had to deal with also believe 9 women can have a baby in 1 month...
        erik.soderquist
  • good blog

    good portal good share thanks for editors
    <a href="http://www.onlinesiyaset.com">online siyaset</a>
    alagozhayko
  • RE: The security threat when the insider gets outside

    Is there is any cryptographic solution to detect insider as user....???
    pradeepkhl
  • RE: The security threat when the insider gets outside

    The way to deal with this is twofold.

    1. Get a competent HR department who actually makes sure that when an employee is "severed" (for whatever reason) they turn in ALL company property (meaning you need an inventory management system).
    2. Make sure administrators REMOVE the accounts.
    snoop0x7b
  • RE: The security threat when the insider gets outside

    Proper policies and monitoring of user accounts, along with documentation for said accounts, reduces the likelihood of this being an issue to near zero. As a former network/systems admin, it was my responsibility to ensure that all user accounts for all systems were disabled when an employee terminated, either by resignation or firing. We also regularly audited our systems to ensure that no one had created unauthorized accounts that could be used for later access, and documented the procedures so that we could keep records of all account activations and deactivations. Any company that doesn't recover fobs and/or keys is asking for trouble...studies have shown that more damage is done by internal users than external hackers, so leaving the door open is inexcusable.
    EricP_KY
    • RE: The security threat when the insider gets outside

      @EricP_KY totally correct and also have a separation of duties so the ones doing the auditing are not the ones making changes
      redrosewa
  • RE: The security threat when the insider gets outside

    ps - John, when you left the jobs that required those fobs, YOU should have turned those in, not just pushed them aside on your desk. Just because the IT or HR folks didn't ask for them when you left doesn't mean that you didn't have the responsibility of returning all company property.
    EricP_KY