Vulnerabilities / Threats

8/18/2017
02:55 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

50% of Ex-Employees Can Still Access Corporate Apps

Businesses drive the risk for data breaches when they fail to terminate employees' access to corporate apps after they leave.

When employees are terminated or move on to new roles, they're often taking access to corporate data with them. For some companies, this access leads to a data breach.

Researchers at identity management firm OneLogin polled 500 IT decision makers to learn about how they provision and deprovision, or terminate, staff login information in-house. Results indicate most aren't doing enough to protect against the threat of ex-employees.

Twenty percent of respondents report their failure to deprovision employees from corporate applications has contributed to a data breach at their organization. Of those, 47% say more than 10% of all data breaches have been the result of ex-employees.

Nearly half of respondents are aware of former employees who can still access enterprise applications following their departure. Half of ex-employees' accounts remain active for longer than a day after they leave. One-quarter of respondents take longer than one week to deprovision former employees, and one-quarter don't know how long accounts remain active after workers leave.

"The value of the data at risk is higher than ever," says Tom Thomassen, senior staff engineer of security at MarkLogic. In the early stages of the cloud, businesses first moved less critical information to data lakes and cloud environments; as they began to trust the cloud, they moved larger amounts of mission-critical data to centralized data environments.

"The net result is data breaches that are much more devastating than in the past and unfortunately, more frequent," he adds.

The threat of ex-employees has grown as companies adopt third-party apps for various processes, says OneLogin CISO Alvaro Hoyos. Up until the 2000s, people would have a few applications installed on their desktops -- spreadsheets, processors, general ledgers. Then they began to transition to cloud services.

"Over time, a lot of companies have been migrating their internal applications, used to run their own businesses, to the cloud."

Instead of using homegrown systems, businesses will turn to the growing number of vendors creating different tools for specific needs. Cloud providers specialize in systems for commission, ledgers, marketing, purchasing, paying invoices, doing expenses. As the surface area expands, companies have to deprovision 20- to 30 applications per worker instead of the usual four or five.

"There's this proliferation of applications," Hoyos continues. "Because of that, the risk has increased exponentially."

Each ex-employee presents a different threat depending on their role and access level. A former salesperson, for example, could use old credentials to get valuable information like sales forecasts, contacts, and lists of prospects to give to competitors. They may not have access to their corporate office or email, but to a Dropbox or Box account where information is stored.

Similarly, operations employees have access to more applications, including custom applications and internally created applications. An engineer could create an unauthorized system, or copies of a system, in the cloud without other employees' knowledge.

Operations employees were the hardest to deprovision, reported 26% of respondents, followed by engineering and sales (20%), HR (18%), finance and customer support (16%), and marketing (13%).

The amount of time it takes to deprovision an employee depends on how many applications they used and how long they've been gone from the business, says Hoyos. Terminating someone can take minutes or hours, depending on the application. Admins also have to think about how different tools integrate with one another.

"There are several ways to mitigate, prevent, and protect against insider threats," says Thomassen. Generally these techniques fall into three categories: access control, monitoring, and detection.

With respect to access control, it's best to use industry standards for authentication like LDAP, PKI, Kerberos, two-factor authentication, implemented at the organization level, or ensure accurate identification. Databases are set up to do this, he says, and some provide more granular authorization than others.

Monitoring data to see how it's updated and accessed is tough, he says. Most tools for this attempt to gather enormous amounts of information from around the network related to server activity, user logins, and network access so they can detect possible breaches and unauthorized access.

"This is very difficult and this is one reason why there are so many data breaches today," Thomassen adds.

Businesses are still grappling with how to tackle the insider threat. Sixteen percent of respondents in the Dark Reading Strategic Security Survey said preventing data theft by employees was one of their greatest IT security challenges.

Verizon's Data Breach Investigations Report found in 60% of cases involving insider and privilege misuse, insiders leave with data in the hope of converting it into cash. Sometimes it's unsanctioned snooping (17%) or taking data to a new employer to start a rival company.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
8/21/2017 | 8:00:23 AM
Human Resource Failure
So I am not surprised by this at all.  Having just departed one firm for another, better paying, job --- I was still able to check my ex-employee email for about 2 weeks.  As an IT Site Engineer, I had access to critical resources.  Never did damage, I am a Pro and I left on my own choice.  But this shows that HR and IT do NOT talk together.  HR should have a univesal around-the-world policy of 24 hour (or less) termination of account access.  Email preservation.  Archive of data.   And test to make sure the account(s) are indeed closed.  This is just common sense and if companies wonder why they are hacked?  Look not too much further than this article.
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Mueller Probe Yields Hacking Indictments for 12 Russian Military Officers
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/13/2018
10 Ways to Protect Protocols That Aren't DNS
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/16/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-10727
PUBLISHED: 2018-07-20
camel/providers/imapx/camel-imapx-server.c in the IMAPx component in GNOME evolution-data-server before 3.21.2 proceeds with cleartext data containing a password if the client wishes to use STARTTLS but the server will not use STARTTLS, which makes it easier for remote attackers to obtain sensitive ...
CVE-2018-8018
PUBLISHED: 2018-07-20
Apache Ignite 2.5 and earlier serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be exploited if the one sends a spe...
CVE-2018-14415
PUBLISHED: 2018-07-20
An issue was discovered in idreamsoft iCMS before 7.0.10. XSS exists via the fourth and fifth input elements on the admincp.php?app=prop&do=add screen.
CVE-2018-14418
PUBLISHED: 2018-07-20
In Msvod Cms v10, SQL Injection exists via an images/lists?cid= URI.
CVE-2018-14419
PUBLISHED: 2018-07-20
MetInfo 6.0.0 allows XSS via a modified name of the navigation bar on the home page.