Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/18/2017
02:55 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

50% of Ex-Employees Can Still Access Corporate Apps

Businesses drive the risk for data breaches when they fail to terminate employees' access to corporate apps after they leave.

When employees are terminated or move on to new roles, they're often taking access to corporate data with them. For some companies, this access leads to a data breach.

Researchers at identity management firm OneLogin polled 500 IT decision makers to learn about how they provision and deprovision, or terminate, staff login information in-house. Results indicate most aren't doing enough to protect against the threat of ex-employees.

Twenty percent of respondents report their failure to deprovision employees from corporate applications has contributed to a data breach at their organization. Of those, 47% say more than 10% of all data breaches have been the result of ex-employees.

Nearly half of respondents are aware of former employees who can still access enterprise applications following their departure. Half of ex-employees' accounts remain active for longer than a day after they leave. One-quarter of respondents take longer than one week to deprovision former employees, and one-quarter don't know how long accounts remain active after workers leave.

"The value of the data at risk is higher than ever," says Tom Thomassen, senior staff engineer of security at MarkLogic. In the early stages of the cloud, businesses first moved less critical information to data lakes and cloud environments; as they began to trust the cloud, they moved larger amounts of mission-critical data to centralized data environments.

"The net result is data breaches that are much more devastating than in the past and unfortunately, more frequent," he adds.

The threat of ex-employees has grown as companies adopt third-party apps for various processes, says OneLogin CISO Alvaro Hoyos. Up until the 2000s, people would have a few applications installed on their desktops -- spreadsheets, processors, general ledgers. Then they began to transition to cloud services.

"Over time, a lot of companies have been migrating their internal applications, used to run their own businesses, to the cloud."

Instead of using homegrown systems, businesses will turn to the growing number of vendors creating different tools for specific needs. Cloud providers specialize in systems for commission, ledgers, marketing, purchasing, paying invoices, doing expenses. As the surface area expands, companies have to deprovision 20- to 30 applications per worker instead of the usual four or five.

"There's this proliferation of applications," Hoyos continues. "Because of that, the risk has increased exponentially."

Each ex-employee presents a different threat depending on their role and access level. A former salesperson, for example, could use old credentials to get valuable information like sales forecasts, contacts, and lists of prospects to give to competitors. They may not have access to their corporate office or email, but to a Dropbox or Box account where information is stored.

Similarly, operations employees have access to more applications, including custom applications and internally created applications. An engineer could create an unauthorized system, or copies of a system, in the cloud without other employees' knowledge.

Operations employees were the hardest to deprovision, reported 26% of respondents, followed by engineering and sales (20%), HR (18%), finance and customer support (16%), and marketing (13%).

The amount of time it takes to deprovision an employee depends on how many applications they used and how long they've been gone from the business, says Hoyos. Terminating someone can take minutes or hours, depending on the application. Admins also have to think about how different tools integrate with one another.

"There are several ways to mitigate, prevent, and protect against insider threats," says Thomassen. Generally these techniques fall into three categories: access control, monitoring, and detection.

With respect to access control, it's best to use industry standards for authentication like LDAP, PKI, Kerberos, two-factor authentication, implemented at the organization level, or ensure accurate identification. Databases are set up to do this, he says, and some provide more granular authorization than others.

Monitoring data to see how it's updated and accessed is tough, he says. Most tools for this attempt to gather enormous amounts of information from around the network related to server activity, user logins, and network access so they can detect possible breaches and unauthorized access.

"This is very difficult and this is one reason why there are so many data breaches today," Thomassen adds.

Businesses are still grappling with how to tackle the insider threat. Sixteen percent of respondents in the Dark Reading Strategic Security Survey said preventing data theft by employees was one of their greatest IT security challenges.

Verizon's Data Breach Investigations Report found in 60% of cases involving insider and privilege misuse, insiders leave with data in the hope of converting it into cash. Sometimes it's unsanctioned snooping (17%) or taking data to a new employer to start a rival company.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
8/21/2017 | 8:00:23 AM
Human Resource Failure
So I am not surprised by this at all.  Having just departed one firm for another, better paying, job --- I was still able to check my ex-employee email for about 2 weeks.  As an IT Site Engineer, I had access to critical resources.  Never did damage, I am a Pro and I left on my own choice.  But this shows that HR and IT do NOT talk together.  HR should have a univesal around-the-world policy of 24 hour (or less) termination of account access.  Email preservation.  Archive of data.   And test to make sure the account(s) are indeed closed.  This is just common sense and if companies wonder why they are hacked?  Look not too much further than this article.
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Major Brazilian Bank Tests Homomorphic Encryption on Financial Data
Kelly Sheridan, Staff Editor, Dark Reading,  1/10/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: It is too bad the ceiling is made of glass!
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3686
PUBLISHED: 2020-01-17
openQA before commit c172e8883d8f32fced5e02f9b6faaacc913df27b was vulnerable to XSS in the distri and version parameter. This was reported through the bug bounty program of Offensive Security
CVE-2019-3683
PUBLISHED: 2020-01-17
The keystone-json-assignment package in SUSE Openstack Cloud 8 before commit d7888c75505465490250c00cc0ef4bb1af662f9f every user listed in the /etc/keystone/user-project-map.json was assigned full "member" role access to every project. This allowed these users to access, modify, create and...
CVE-2019-3682
PUBLISHED: 2020-01-17
The docker-kubic package in SUSE CaaS Platform 3.0 before 17.09.1_ce-7.6.1 provided access to an insecure API locally on the Kubernetes master node.
CVE-2019-17361
PUBLISHED: 2020-01-17
In SaltStack Salt through 2019.2.0, the salt-api NEST API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
CVE-2019-19142
PUBLISHED: 2020-01-17
Intelbras WRN240 devices do not require authentication to replace the firmware via a POST request to the incoming/Firmware.cfg URI.