Vulnerabilities / Threats

8/18/2017
02:55 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

50% of Ex-Employees Can Still Access Corporate Apps

Businesses drive the risk for data breaches when they fail to terminate employees' access to corporate apps after they leave.

When employees are terminated or move on to new roles, they're often taking access to corporate data with them. For some companies, this access leads to a data breach.

Researchers at identity management firm OneLogin polled 500 IT decision makers to learn about how they provision and deprovision, or terminate, staff login information in-house. Results indicate most aren't doing enough to protect against the threat of ex-employees.

Twenty percent of respondents report their failure to deprovision employees from corporate applications has contributed to a data breach at their organization. Of those, 47% say more than 10% of all data breaches have been the result of ex-employees.

Nearly half of respondents are aware of former employees who can still access enterprise applications following their departure. Half of ex-employees' accounts remain active for longer than a day after they leave. One-quarter of respondents take longer than one week to deprovision former employees, and one-quarter don't know how long accounts remain active after workers leave.

"The value of the data at risk is higher than ever," says Tom Thomassen, senior staff engineer of security at MarkLogic. In the early stages of the cloud, businesses first moved less critical information to data lakes and cloud environments; as they began to trust the cloud, they moved larger amounts of mission-critical data to centralized data environments.

"The net result is data breaches that are much more devastating than in the past and unfortunately, more frequent," he adds.

The threat of ex-employees has grown as companies adopt third-party apps for various processes, says OneLogin CISO Alvaro Hoyos. Up until the 2000s, people would have a few applications installed on their desktops -- spreadsheets, processors, general ledgers. Then they began to transition to cloud services.

"Over time, a lot of companies have been migrating their internal applications, used to run their own businesses, to the cloud."

Instead of using homegrown systems, businesses will turn to the growing number of vendors creating different tools for specific needs. Cloud providers specialize in systems for commission, ledgers, marketing, purchasing, paying invoices, doing expenses. As the surface area expands, companies have to deprovision 20- to 30 applications per worker instead of the usual four or five.

"There's this proliferation of applications," Hoyos continues. "Because of that, the risk has increased exponentially."

Each ex-employee presents a different threat depending on their role and access level. A former salesperson, for example, could use old credentials to get valuable information like sales forecasts, contacts, and lists of prospects to give to competitors. They may not have access to their corporate office or email, but to a Dropbox or Box account where information is stored.

Similarly, operations employees have access to more applications, including custom applications and internally created applications. An engineer could create an unauthorized system, or copies of a system, in the cloud without other employees' knowledge.

Operations employees were the hardest to deprovision, reported 26% of respondents, followed by engineering and sales (20%), HR (18%), finance and customer support (16%), and marketing (13%).

The amount of time it takes to deprovision an employee depends on how many applications they used and how long they've been gone from the business, says Hoyos. Terminating someone can take minutes or hours, depending on the application. Admins also have to think about how different tools integrate with one another.

"There are several ways to mitigate, prevent, and protect against insider threats," says Thomassen. Generally these techniques fall into three categories: access control, monitoring, and detection.

With respect to access control, it's best to use industry standards for authentication like LDAP, PKI, Kerberos, two-factor authentication, implemented at the organization level, or ensure accurate identification. Databases are set up to do this, he says, and some provide more granular authorization than others.

Monitoring data to see how it's updated and accessed is tough, he says. Most tools for this attempt to gather enormous amounts of information from around the network related to server activity, user logins, and network access so they can detect possible breaches and unauthorized access.

"This is very difficult and this is one reason why there are so many data breaches today," Thomassen adds.

Businesses are still grappling with how to tackle the insider threat. Sixteen percent of respondents in the Dark Reading Strategic Security Survey said preventing data theft by employees was one of their greatest IT security challenges.

Verizon's Data Breach Investigations Report found in 60% of cases involving insider and privilege misuse, insiders leave with data in the hope of converting it into cash. Sometimes it's unsanctioned snooping (17%) or taking data to a new employer to start a rival company.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
8/21/2017 | 8:00:23 AM
Human Resource Failure
So I am not surprised by this at all.  Having just departed one firm for another, better paying, job --- I was still able to check my ex-employee email for about 2 weeks.  As an IT Site Engineer, I had access to critical resources.  Never did damage, I am a Pro and I left on my own choice.  But this shows that HR and IT do NOT talk together.  HR should have a univesal around-the-world policy of 24 hour (or less) termination of account access.  Email preservation.  Archive of data.   And test to make sure the account(s) are indeed closed.  This is just common sense and if companies wonder why they are hacked?  Look not too much further than this article.
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: So now we are monitoring the monitor?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14623
PUBLISHED: 2018-12-14
A SQL injection flaw was found in katello's errata-related API. An authenticated remote attacker can craft input data to force a malformed SQL query to the backend database, which will leak internal IDs. This is issue is related to an incomplete fix for CVE-2016-3072. Version 3.10 and older is vulne...
CVE-2018-18093
PUBLISHED: 2018-12-14
Improper file permissions in the installer for Intel VTune Amplifier 2018 Update 3 and before may allow unprivileged user to potentially gain privileged access via local access.
CVE-2018-18096
PUBLISHED: 2018-12-14
Improper memory handling in Intel QuickAssist Technology for Linux (all versions) may allow an authenticated user to potentially enable a denial of service via local access.
CVE-2018-18097
PUBLISHED: 2018-12-14
Improper directory permissions in Intel Solid State Drive Toolbox before 3.5.7 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2018-3704
PUBLISHED: 2018-12-14
Improper directory permissions in the installer for the Intel Parallel Studio before 2019 Gold may allow authenticated users to potentially enable an escalation of privilege via local access.