Manage departures: the hacker is your former user.

Published :

07/2021

| Updated on

-
Articles
>
Cybersecurity
The departure of employees is a crucial step in a company, yet it is the one that is least appealing and therefore neglected.

Summary

Employee departure is a crucial step in a company; however, it is the one that is least appealing and therefore neglected.

There are many reasons for leaving a company, and with a little searching, one can quickly find advice on giving a 'confessable' reason to their employer.
The fact is, a high proportion of people leave their jobs for negative reasons (low salary, bad atmosphere, detrimental management, boredom, pressure, etc.), but you won't know it.

Some people leave their company with a lot of resentment, and that's the whole problem.


The desire to harm may be strong, and it is up to you to defuse these situations but also to secure them.


wanting to harm their employer

IT offboarding


We have detailed the reasons for performing offboarding from a human point of view, with user management as a key issue.


Here, I offer you another angle, that of the value of offboarding from an IT perspective. While managers and human resources have a strong interest in carrying out a proper departure, the role of IT in the departure is just as crucial, but why?


Indeed, it does not have a direct impact on the employee, but on the security of the company. This is what we will see.


An employee who leaves their position also leaves a set of tools and software for which they had access accounts. Imagine if you forget to reclaim your company's access badge? This would have consequences, from annoying to serious, depending on the sector in which you operate. Recovering keys and access badges are rarely things that are forgotten when someone leaves.

Now, imagine that you forget to retrieve all the accounts that the employee had access to and close them. If you can't visualize it, it's the same as the badge example, but at the level of the company's data.

These famous active accounts of departed users are called orphaned accounts and are a form of shadow IT. We have detailed what ghost accounts are in this previous article if you would like to learn more.

Orphan accounts

An orphan account is an active computer account that is not associated with a user or whose user is no longer present in the company.

Orphan accounts are created indirectly through the employee lifecycle.


employee lifecycle in a company

IT services are involved in parts 2, 3, and 4 of an employee's lifecycle! This is also the hidden side of the lifecycle.

  • Upon integration, the employee becomes a user who needs physical equipment and software accounts. IT must create a number of accounts for him/her, such as AD, email, collaborative and communication tools, and those specific to his/her field.
  • As the user progresses, they will evolve and require new software and applications. They may even change positions or departments. IT will play a supporting role in this evolution because the stakes are high: to avoid shadow IT at all costs, and therefore the use of accounts not registered by the IT department. Dialogue must be open, and the list of accounts must be well-documented and monitored. The IT department must ensure at this stage that the access granted to the employee is in line with their position and hierarchical level. If necessary, monitor certain sensitive accounts. For example, if the person joins the management team, certain accesses become very sensitive. If a person leaves the sales department for another department, certain accounts related to customers/prospects must be suspended and closed.
    ⚠ Warning, it is during this phase that some orphaned accounts appear!
  • Departure, the user leaves the company and goes on new adventures in another company or for another project. IT plays a major role at this time in the security of its company. ALL of the employee's accounts must be suspended and then closed. It is in this last step that most orphaned accounts are born.

For parts 3 and 4 (progression and departure), orphaned accounts are often created because IT is not aware of changes in positions and the employee's departure. This is a communication problem between HR departments, managers, and IT.

  • The manager does not report certain account transfers from one person to another to the IT department, they do not talk about the new app they have tested, etc.
  • HR does not report the change of position to the IT department or their departure, because they are often overwhelmed and do not think about the IT department, not out of contempt, but simply out of forgetfulness or ignorance.

Result: the HR file does not correspond at all with the IT user file.

Is there really a benefit to managing 'ghost' accounts?


We fully understand that the key issue revolves around the transmission of information:

  • software and applications used
  • access rights granted
  • account transfers performed
  • employee transfers
  • departures of employees

You might say at this point, okay, but how do we maintain a healthy AD and software environment? Do you realize that we are also overwhelmed with tasks? Why bother with something that doesn't even bring added value to anyone in the company?

And that's the whole problem.

Yes, you are right, deleting old accounts brings no satisfaction to the user, their manager, or even HR, so why this entire article?

What happens during a cyberattack in this case?


Once access is discovered, hackers explore the company's data for several weeks, find other administrator and privileged access points, and download as many gigabytes of data as possible.

Once the hackers have taken everything they needed, they finalize their attack by deploying ransomware that will encrypt all of the company's data, or they will simply delete data such as virtual servers. This is really the final blow after a long attack.

CYBERATTACK

This word suddenly becomes very scary! But what is it doing in the middle of this subject?

Your former employee can become your future security breach directly or indirectly.

  • Your former employee has a grudge against the company + administrator accounts still active
  • Your former employee is approached by cyber attackers who offer them a large sum of money in exchange for their still-open access.
  • Your former employee still has active accounts but has no intention of harming you. However, hackers discover these active accounts and seize them.

Do not forget certain more difficult, but equally risky, cases, such as the death of an employee or departure due to illness. The accounts remain open.

Cyberattack due to ghost accounts

How to protect against ghost account attacks?


The simplest and most obvious solution: avoid having ghost accounts ^^


Clean up your orphaned accounts


For this, an identity and access management (IAM) tool will be your ultimate weapon in the fight against orphaned and ghost accounts. An identity and access management solution will allow you to cross-reference two files: the HR file (HRIS) with employees, their arrival and departure dates, and the IT file (Active Directory) with users and their accounts.

This way, you will receive alerts in case of:

  • File mismatch (departed employees)
  • employee departure
  • misalignment of rights for access to certain software based on job roles.

The IAM solution will also highlight all duplicates, accounts not linked to any user, etc. Your role will be to resolve these information feedback issues.

Easily detect active accounts of departed users

Monitor your privileged accounts

If you still have shadow IT despite everything, look at privileged accounts.

Attackers will always prioritize a broadly privileged account; it's their priority. It's almost a success factor in the attack.

The drawback, with the increase of SaaS tools in the cloud, is that privileged accounts proliferate, if only to maintain and protect SaaS applications.

It is therefore important to pay particular attention to these accounts and to secure them. The more difficult it is to navigate your servers, the easier it will be to detect the movements of hackers. The idea, of course, is to detect their presence as early as possible in the attack.

Privileged account monitoring should be implemented. You can also perform this monitoring using an IAM tool.

Visualize all users enrolled in each group

Perform your updates.

Configure your infrastructure protection tools correctly and, above all, make updates and apply patches. According to the Ponemon Institute, uncorrected vulnerabilities led to 60% of data protection breaches in 2019.

Perform your software updates.

Departures, the weak links in IT

Departures are often the weak point in a company's security. Orphan accounts and shadow IT created by these departures are currently an inexhaustible source of cyberattacks.

Active administrator accounts of departed users represent a risk just as high as weak passwords, malicious attachments, phishing, etc.

If you would like to discuss shadow IT management, orphan accounts, duplicates... and clean up your AD, we will be happy to enlighten you.

Need to estimate the cost of an IAM project?

Download this white paper on the cost of inaction in IAM :

We have been unable to confirm your request.
Your request for a white paper has been taken into account.

Recommended Articles

5 good reasons why you'll love MFA/2FA
Shadow IT: The challenges of using unregulated software
How to effectively protect your application against cyberattacks?