Re: Departing Employees Are Security Horror

["Al Mac Wow" <macwheel99 () wowway com>]

This is good, but there's more to the story.

 

Corporate information can be in a dumpster, filing cabinets, photo copy
machines, computers, other places.

Security thinking needs to be different for different types of data storage
places.

 

Data can walk out of the company many different ways, not limited to
departing employees.

 

Frequently the boss of a new employee wants that employee to have access to
ANYTHING they want access to.

But maybe people in one business unit want access to data managed by people
in another business unit.

 

It can be useful sometimes to supply the managers of each business unit with
a list:  Here is the data that your unit is in charge of, and here is a list
of all employees who have authorized access to view, copy, add, change,
delete records in that data, including people who work in other units.  So
if anything goes wrong, you know that it might not have been anyone in your
dept, who slipped up.

 

There are computer systems, where people in some business units cannot do
their job properly, unless they have almost unrestricted access to data of
other business units.  There may be something wrong with such designs.

 

Employees can get into physical facilities using keys and badges, which can
be copied.

A rogue employee is fired, and they must surrender the stuff needed to get
into the facility, but they may have copied that in anticipation of this
event.  Some access locks into the building, and within the building, may
need to be changed, after the company parts company with an employee who had
super-access.

There may need to be security guards checking credentials until the lock
changing has been implemented.

 

Some companies have private security patrols in the vicinity of their
property.  These private guards should be supplied with updated lists of who
is allowed on the property, outside normal business hours, and who to
contact in case of trouble.

 

There's access to the facilities in person, and by remote means.

Firewalls should be updated to block the employee no longer with the
company, and maybe VPN password should be changed.

If the gone employee worked IT, maybe all IT system passwords should be
changed.  Don't forget WiFi.

If the gone employee worked a department, where co-workers did your job,
when you sick or on vacation, maybe the people in that dept should change
their passwords.

 

Sometimes passwords are issued to non-employees, associated with contracted
services.

When the service contract is completed, or the business is transferred to a
different outfit, their privileges need to be removed.

This means that there ought to be start-end communication between the
business unit contracting for the services, and IT.

Sometimes the contractors must be granted super-access privileges.  IT will
need to be able to compare reality before-after the contract period, and
undo anything the contractor did, which is in violation of normal security
practices.

 

It may be simpler for IT to periodically supply HR with a report.

Here are all the people, with access to our system, who:

*       Have not signed on in a few months . are they gone?
*       Have access because they are allegedly employees . are they still
with us?
*       Are special temporary scenarios, which will be revisited when the
relevant business unit lets us know the scenario is ended.
*       Are special scenarios . other explained.

Hen HR can clarify regarding employees whose access privileges need to be
removed, and new employees in need of addition.

 

Many employees have permission to take home all sorts of company stuff, to
work on at home, or on business trips.

This sort of permission ought to be reviewed from time to time, such as when
the employees get a new boss, just to make sure the new boss reviews the old
agreements, and has some idea of the volume and variety of company stuff
outside of the company.

 

Al Mac = Alister William Macintyre

  _____  

From: dataloss-bounces () datalossdb org
[mailto:dataloss-bounces () datalossdb org] On Behalf Of Audrey McNeil
Sent: Wednesday, October 23, 2013 2:02 AM
To: dataloss () datalossdb org
Subject: [Dataloss] Departing Employees Are Security Horror

 

http://online.wsj.com/news/articles/SB10001424052702303442004579123412020578
896

Information theft by departing employees isn't what it used to be-it's much
easier. But there are ways for companies to guard against it.

Workers who wanted to take confidential corporate information with them when
they left a company used to have to sneak paper documents out the door. Now,
in a few clicks, corporate secrets can be downloaded to a mobile device or
uploaded to an online storage service.

In one recent example, Zynga Inc. and Kixeye Inc., competing developers of
online games, settled out of court a suit in which Zynga claimed that one of
its former employees uploaded 760 Zynga files to a Dropbox account just
before he left the company and went to work at Kixeye. The employee, Alan
Patmore, apologized in a statement for "copying and taking Zynga
confidential information when I resigned from Zynga." 

Most theft of this kind goes unreported, but it is rampant. Half the
employees recently surveyed by the Ponemon Institute and Symantec Corp., a
maker of information-security software, said they had taken sensitive
business documents with them when they changed jobs.

To prevent such theft, it's important for companies to first understand what
data they're trying to protect and where it resides, says George J.
Silowash, a cybersecurity analyst at the CERT Insider Threat Center at
Carnegie Mellon University's Software Engineering Institute. Sensitive
information tends to be scattered among departments or business units,
sometimes in different computer systems, and many companies don't have a
comprehensive record of the data they hold.

Next, it's important to know what access every employee has to company
information, says Earl Perkins, a research analyst at Gartner Inc., so that
access to confidential information can be revoked when an employee leaves
the company. Ideally, revoking that access should happen automatically, he
says.

Data-loss prevention software from Symantec, Websense Inc., EMC Corp.'s RSA
division and others can help companies keep track of sensitive information.
The software inspects data content and, based on policies the company
creates, blocks certain information from leaving the company. Gartner
estimates the market for this type of software will total $670 million this
year, up from $300 million in 2010.

Finally, it's crucial that IT security managers communicate with the
human-resources department so they are aware of pending layoffs or other
personnel issues that might lead to employee departures. "The simplest thing
companies can do is to make sure there is a good communication path between
human resources and IT security staff," says Patrick Reidy, former chief
information-security officer at the Federal Bureau of Investigation, who now
holds the same post at Computer Sciences Corp.

But companies should have legal or privacy experts make sure human resources
is allowed to share employee information this way, keeping in mind that laws
differ in various countries.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.