Security Basics mailing list archives
Re: Risk of Redirecting Email.
From: Meenal Mukadam <meenal.mukadam () gmail com>
Date: Wed, 8 Apr 2009 12:16:51 +0530
Hello Munyaradzi, I agree with your concern. But according to me, the real problem is not "Personals requesting to redirect their mails", but is actually "having no proper controls in place to terminate the account" when a person leaves the organization. If there were proper controls implemented like: 1) Having a comprehensive and apt policy and procedures in place (to guide the actions to be taken when any employee leaves the company) 2) Termination of account and access rights 3) Backup of the critical business information from the account 4) Not sharing default access credentials 5) Verifying if no backdoors are opened (having forwarding mails in place can be considered as a type of backdoor) 6) Cleansing the system after employee leaves (many employee tend to implant malicious codes to have a perpetual source of information....so any organization has to guard against it....best way, but not the easiest, is to take info backup and reinstall the O.S. and applications again) According to me if these controls were in place, even if the personals requested for redirecting their mail, it wouldn't be possible to do so. Cause if an account was PROPERLY terminated, then from where would they get the mails? Risk faced were nicely covered by many. But I will add in a few: 1) Risks due to loss of confidential info (new product/service info) 2) Risks due to loss of mission critical or competitive info (tender/contracts, R&D info) 3) Risks due to Internal secrets being leaked out 4) Risks due to Sales info being sold or used by competitors 5) Risk due to availability of info, etc Hope this answers your question :) Regards, Meenal A. Mukadam On Tue, Mar 31, 2009 at 9:24 PM, M.D.Mufambisi <mufambisi () gmail com> wrote:
Hi people. I have seen on some clients of mine, that when an employee leaves the organisation, they request IT to redirect their emails to a particular email address....personal. What are the risks of this? I can only think of company information being directed to this individual....which could be bad if he/she has gone to work for a competitor. What other risks or security issues could this give rise to? Thanks. Munyaradzi Dumisani Mufambisi ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute No time or budget for traveling to a training course in this fiscal year? Check out the online penetration testing courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total hands-on training experience. Get the certs you need as well: CEH, CPT, CEPT, ECSA, LPT. http://www.infosecinstitute.com/request_online_training.html ------------------------------------------------------------------------
-- Meenal A. Mukadam ----------------------------------------------------------------- http://www.linkedin.com/in/meenalmukadam ----------------------------------------------------------------- Far away there in the sunshine are my highest aspirations. I may/maynot reach them, but I can look up and see their beauty, believe in them and try to follow where they lead ------------------------------------------------------------- ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- Re: Risk of Redirecting Email. Meenal Mukadam (Apr 08)