A recent court case underlines the importance of good operational security procedures to manage employee and contractor exits to ensure all their access is revoked. A man has been sentenced to two years after deleting 456 virtual machines from Cisco’s infrastructure – 4 months after resigning from the firm.
As a result of the malicious action some 16,000 WebEx accounts were shut down for two weeks while Cisco rebuilt the infrastructure and had to refund $1 million of fees to affected customers.
Security Managers can consider this a timely reminder to review employee exit procedures to ensure that all accounts used by the departing employee are locked promptly.
Additional healthy operational security practices you should consider include:
- At least monthly, review all active accounts and disable those of employees and contractors who leave the company.
- Automatically lock accounts which are inactive for more than 28 days.
- Ensure all network and systems admin staff use personal logins and do not share admin accounts. Consider issuing staff with two logins, one with admin rights and one without, and staff should switch to the admin account to perform a task then switch back to their personal account as soon as possible.
- Where shared admin accounts do exist, the passwords must be changed whenever anyone who had access to them leaves the organisation.
- Perform additional checks for staff who leave while disgruntled or otherwise unhappy with the organisation and take steps to limit their system access before they depart.
To test how your team might react to a rogue employee causing damage, consider engaging SecureTeam to perform a Red Team Assessment or Internal Penetration Test.
