BreachExchange mailing list archives
Re: Departing Employees Are Security Horror
From: "Al Mac Wow" <macwheel99 () wowway com>
Date: Thu, 24 Oct 2013 17:53:57 -0500
This is good, but there's more to the story. Corporate information can be in a dumpster, filing cabinets, photo copy machines, computers, other places. Security thinking needs to be different for different types of data storage places. Data can walk out of the company many different ways, not limited to departing employees. Frequently the boss of a new employee wants that employee to have access to ANYTHING they want access to. But maybe people in one business unit want access to data managed by people in another business unit. It can be useful sometimes to supply the managers of each business unit with a list: Here is the data that your unit is in charge of, and here is a list of all employees who have authorized access to view, copy, add, change, delete records in that data, including people who work in other units. So if anything goes wrong, you know that it might not have been anyone in your dept, who slipped up. There are computer systems, where people in some business units cannot do their job properly, unless they have almost unrestricted access to data of other business units. There may be something wrong with such designs. Employees can get into physical facilities using keys and badges, which can be copied. A rogue employee is fired, and they must surrender the stuff needed to get into the facility, but they may have copied that in anticipation of this event. Some access locks into the building, and within the building, may need to be changed, after the company parts company with an employee who had super-access. There may need to be security guards checking credentials until the lock changing has been implemented. Some companies have private security patrols in the vicinity of their property. These private guards should be supplied with updated lists of who is allowed on the property, outside normal business hours, and who to contact in case of trouble. There's access to the facilities in person, and by remote means. Firewalls should be updated to block the employee no longer with the company, and maybe VPN password should be changed. If the gone employee worked IT, maybe all IT system passwords should be changed. Don't forget WiFi. If the gone employee worked a department, where co-workers did your job, when you sick or on vacation, maybe the people in that dept should change their passwords. Sometimes passwords are issued to non-employees, associated with contracted services. When the service contract is completed, or the business is transferred to a different outfit, their privileges need to be removed. This means that there ought to be start-end communication between the business unit contracting for the services, and IT. Sometimes the contractors must be granted super-access privileges. IT will need to be able to compare reality before-after the contract period, and undo anything the contractor did, which is in violation of normal security practices. It may be simpler for IT to periodically supply HR with a report. Here are all the people, with access to our system, who: * Have not signed on in a few months . are they gone? * Have access because they are allegedly employees . are they still with us? * Are special temporary scenarios, which will be revisited when the relevant business unit lets us know the scenario is ended. * Are special scenarios . other explained. Hen HR can clarify regarding employees whose access privileges need to be removed, and new employees in need of addition. Many employees have permission to take home all sorts of company stuff, to work on at home, or on business trips. This sort of permission ought to be reviewed from time to time, such as when the employees get a new boss, just to make sure the new boss reviews the old agreements, and has some idea of the volume and variety of company stuff outside of the company. Al Mac = Alister William Macintyre _____ From: dataloss-bounces () datalossdb org [mailto:dataloss-bounces () datalossdb org] On Behalf Of Audrey McNeil Sent: Wednesday, October 23, 2013 2:02 AM To: dataloss () datalossdb org Subject: [Dataloss] Departing Employees Are Security Horror http://online.wsj.com/news/articles/SB10001424052702303442004579123412020578 896 Information theft by departing employees isn't what it used to be-it's much easier. But there are ways for companies to guard against it. Workers who wanted to take confidential corporate information with them when they left a company used to have to sneak paper documents out the door. Now, in a few clicks, corporate secrets can be downloaded to a mobile device or uploaded to an online storage service. In one recent example, Zynga Inc. and Kixeye Inc., competing developers of online games, settled out of court a suit in which Zynga claimed that one of its former employees uploaded 760 Zynga files to a Dropbox account just before he left the company and went to work at Kixeye. The employee, Alan Patmore, apologized in a statement for "copying and taking Zynga confidential information when I resigned from Zynga." Most theft of this kind goes unreported, but it is rampant. Half the employees recently surveyed by the Ponemon Institute and Symantec Corp., a maker of information-security software, said they had taken sensitive business documents with them when they changed jobs. To prevent such theft, it's important for companies to first understand what data they're trying to protect and where it resides, says George J. Silowash, a cybersecurity analyst at the CERT Insider Threat Center at Carnegie Mellon University's Software Engineering Institute. Sensitive information tends to be scattered among departments or business units, sometimes in different computer systems, and many companies don't have a comprehensive record of the data they hold. Next, it's important to know what access every employee has to company information, says Earl Perkins, a research analyst at Gartner Inc., so that access to confidential information can be revoked when an employee leaves the company. Ideally, revoking that access should happen automatically, he says. Data-loss prevention software from Symantec, Websense Inc., EMC Corp.'s RSA division and others can help companies keep track of sensitive information. The software inspects data content and, based on policies the company creates, blocks certain information from leaving the company. Gartner estimates the market for this type of software will total $670 million this year, up from $300 million in 2010. Finally, it's crucial that IT security managers communicate with the human-resources department so they are aware of pending layoffs or other personnel issues that might lead to employee departures. "The simplest thing companies can do is to make sure there is a good communication path between human resources and IT security staff," says Patrick Reidy, former chief information-security officer at the Federal Bureau of Investigation, who now holds the same post at Computer Sciences Corp. But companies should have legal or privacy experts make sure human resources is allowed to share employee information this way, keeping in mind that laws differ in various countries.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: # OWASP http://www.appsecusa.org # Builders, Breakers and Defenders # Time Square, NYC 20-21 Nov o()xxxx[{::::::::::::::::::::::::::::::::::::::::> Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- Departing Employees Are Security Horror Audrey McNeil (Oct 24)
- Re: Departing Employees Are Security Horror Al Mac Wow (Oct 25)