Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/17/2009
02:35 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

'Five Golden Rules' For Reducing Security Risk Posed By Temporary Holiday Workers

Courion provides best-practices approach to prevent security breaches

FRAMINGHAM, Mass., Dec. 15 /PRNewswire/ --

WHAT:Courion Corporation, leaders in access governance, provisioning, and compliance, has released its "five golden rules" - a set of best-practice-based guidelines for enterprises to reduce the security risk posed by temporary workers hired during the holiday season. Inadequate access controls for seasonal employees can lead to significant financial and brand damage for organizations and their customers, as was seen in the recent case of the temporary AT&T worker who stole the social security numbers of 2,100 co-workers and took out loans totaling more than $70,000 in their names or the Bank of New York temp that siphoned $1M from customers by setting up "dummy" bank accounts.

DETAILS: A CareerBuilder survey found that nearly one in five companies plan to hire temporary employees in Q4 2009 to meet the holiday rush, and 25% of these employers will add more than 50 workers. Additionally, Fedex and UPS announced they will hire 64,000 temporary employees to meet increased shipping needs this holiday season. As companies take on these additional temporary workers, it is imperative that they apply and enforce stringent Access Assurance policies across all three phases of the employment period - time of hire, duration of employment, and contract completion - to help ensure protection of confidential company and customer information.

Ironically, many enterprises do not have dedicated security policies and controls for temporary workers, due to IT staff capacity limitations or the misguided belief that short-term workers "don't have enough time" to be dangerous. Courion recommends that enterprises address this gaping hole in their security armor by adopting its "Five Golden Rules" for Access Assurance, which includes:

1. Clearly defining temporary roles- At the time of hire, it's important to immediately define access for temporary employees to company resources based on each worker's specific job function. This is an efficient and secure way to enable (and later easily disable) access for temporary workers, particularly for organizations hiring in large numbers. 2. Differentiating between roles of full time and seasonal employees - Whether or not role-based access is being used, temporary employees should only have access to those systems that are required to perform their job function. Supplying blanket access based on full time employees' roles can introduce unnecessary risk. 3. Employing a combination of detective and preventive controls - Detective controls like identity management and access provisioning provide a clear access profile that defines who has access to what. This should be combined with preventive controls such as data loss prevention (DLP) and security information and event management (SIEM) solutions to protect critical data stores and verify that workers' activity aligns with their job function and standard employee activities. Accessing systems and data remotely or at unusual hours could signal suspicious intent. 4. Disabling access immediately once an employee leaves - Ensure that employees are immediately de-provisioned when the employment period ends, leaving no gap between their official departure and the time when access is shut off. This prevents vulnerabilities due to "zombie" accounts - those that remain active and accessible to former employees. 5. Disabling all access inside and outside the organization- Shutting off network access is not enough when disabling departing employee access. The growing number of applications hosted in the cloud requires the IT manager to disable access to accounts at each system level, both on the network and in the cloud.

To arrange an interview with experts who can discuss all aspects of the security risk posed by temporary workers, contact:

Mariah Torpey Davies Murphy Group [email protected] 781-418-2404

About Courion

Courion's award-winning Access Assurance solutions are used by more than 400 organizations and over nine million users worldwide to quickly and easily solve their most complex identity and access management (password management, provisioning, and role management), risk and compliance challenges. Courion's business-driven approach results in unparalleled customer success by ensuring users' access rights and activities are compliant with policy while supporting both security and business objectives. For more information, please visit our website at www.courion.com, our blog at blog.courion.com/, or on Twitter at twitter.com/Courion.

To view this release online, go to: http://www.courion.com/company/press_release.html?id=523

Courion is a registered trademark. All other company and product names may be trademarks of their respective owners

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27218
PUBLISHED: 2020-11-28
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is ...
CVE-2020-29367
PUBLISHED: 2020-11-27
blosc2.c in Blosc C-Blosc2 through 2.0.0.beta.5 has a heap-based buffer overflow when there is a lack of space to write compressed data.
CVE-2020-26245
PUBLISHED: 2020-11-27
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sani...
CVE-2017-15682
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.
CVE-2017-15683
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.