ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Are you wary of the insider on the outside?

By | May 20, 2008, 7:37am PDT

Whenever the risks from the inside threat are discussed, it’s usually about the disgruntled/malicious employee within the firewall abusing permissions to steal data or plant malware in sensitive parts of the network.

But, there’s an insider on the outside that’s often forgotten — the ex-employee with access to user accounts (and default settings) that remain active after he/she has left the company.

A survey from Symark International drives home the point:

The study revealed that 42 percent of businesses do not know how many orphaned accounts exist within their organization, and 30 percent of respondents said they have no procedure in place to locate orphaned accounts.

That’s not a surprise at all. I’ve interviewed CIOs and CSOs for feature stories in the past about this issue and I’m always amazed at how few resources are allocated to deal with the insider on the outside. Too often, e-mail accounts of ex-employees are never disabled; default passwords for access to sensitive parts of an IT environment are never changed, leaving gaping holes through which valuable data can be stolen.

Other key findings from the survey include:

- Approximately 27 percent of respondents said that more than 20 orphaned accounts currently exist within their organization.

- More than 30 percent of respondents said it takes longer than three days to terminate an account after an employee or contractor leaves the company, while 12 percent said it takes longer than one month.

- More than 38 percent of respondents said that they had no way of determining whether a current or former employee used an orphaned account to access information, while 15 percent said that this has occurred at least once.

The big takeaway: Businesses must invest in and implement polices and technologies to ensure that user accounts are terminated swiftly as soon as the employee leaves the company. This is especially true for large, international enterprises managing locations across the globe.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Account, Marketing Research, Security, Marketing, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

6
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Are you wary of the insider on the outside?
mr1972 29th Jan 2009
This can also be true of small businesses. Especially if they contract their IT for a limited time.
View in thread
0 Votes
+ -
Policy is step one
srobtjones@... 20th May 2008
Having good policies for employee termination are step one. Step two is for IT and non-IT personnel to partner up to get this accomplished ASAP.

Having a checklist has helped clients of mine to know what to do and when. It also helps determine where and when breakdowns occurred in the process and to improve them moving forward.
0 Votes
+ -
Contributr
Yup, it has to be part of the risk management preparation
Ryan Naraine 20th May 2008
Yes, I agree it's something that has to be part of the preparation checklist during the risk management setup. It really surprises me that such a gaping hole is left unattended in some of the biggest companies.

_ryan
0 Votes
+ -
Annual reviews
jshaw4343 20th May 2008
Most organizations I have found are good at taking away the main LAN access effectively keeping the outsider outside. Internal access, however, typically takes much longer. Often they rely on annual access reviews to clean up old users. Then your back to worrying about the insider using these accounts to hide their malicious activity.
0 Votes
+ -
What if...
IT_Guy_z 21st May 2008
the insider on the outside is the former Director of MIS?

That happens to be me. The person who took over my position has STILL not changed any Admin usernames or passwords, EIGHTEEN MONTHS after taking over the job. How do I know? Because I check it on an irregular basis remotely. I can still get to all of the severs, and workstations, from the outside via remote access clients.

I left on completely amicable terms, and would never do anything to harm the organization. Actually, I am appalled that the current director has done nothing to secure the systems, but am concerned that if I bring it to the attention of the CEO, the new person may lose his/her job?which maybe they should.

The very first day on my new job, I changed every username and password I could that had Admin privileges. I also deleted all of my predecessor?s user accounts.

So if the admin isn?t doing their job?it?s an uphill battle to keep former worker-bees out.
0 Votes
+ -
If you really want to help,
Your Mom 2.0 22nd May 2008
...talk to the new guy, not his boss. In this manner you can share the wisdom of your experience without the risk of getting him in trouble.

He'll either appreciate the heads-up, or he'll think you're trying to tell him how to do his job, but in either event at least he'll be aware of the issue.

And if talking to the guy doesn't do any good, consider talking to his boss about it later. That's assuming you're genuinely concerned about the lax security issues and not just trying to make yourself look good by pointing out your predecessor's shortcomings.
0 Votes
+ -
RE: Are you wary of the insider on the outside?
mr1972 29th Jan 2009
This can also be true of small businesses. Especially if they contract their IT for a limited time.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix