{"id":70799,"date":"2014-07-17T16:11:15","date_gmt":"2014-07-17T20:11:15","guid":{"rendered":"http:\/\/rbachnet.wwwmi3-ss40.a2hosted.com\/index.php\/"},"modified":"2022-09-15T12:04:34","modified_gmt":"2022-09-15T16:04:34","slug":"can-former-staff-still-access-secure-info","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/can-former-staff-still-access-secure-info\/","title":{"rendered":"Can Former Staff Still Access Secure Info?"},"content":{"rendered":"

\"CanInfoSecurity Magazine<\/em><\/a> recently published an article<\/a> that blames cavalier<\/strong> attitudes about password management<\/strong> for a new era of data breaches<\/strong>. The article says that a fundamental lack of IT security awareness<\/strong> in enterprises, particularly in the arena of controlling privileged logins, is potentially paving the way for a further wave of data breaches.<\/p>\n

The author cites a survey<\/a> from Lieberman Software<\/a> of IT security professionals. In the survey, 13% of IT security pro’s interviewed at the RSA Conference 2014<\/a> in San Francisco\u00a0admit to being able to access previous employers\u2019 systems<\/strong> using their old credentials.<\/p>\n

\"access<\/a>Perhaps even more alarming is that of those able to get access to previous employers\u2019 systems nearly 23% can get into their previous two employers\u2019 systems using old credentials<\/strong>. And, shockingly, more than 16% admit to still having access to systems at all previous employers Lieberman reports. Philip Lieberman<\/a>, CEO and president of the company, told InfoSecurity<\/em> in an interview that he blames executives<\/strong> who are satisfied with only meeting minimum security requirements<\/strong>.<\/p>\n

Investments in security for technology, people, and processes have been meager, at best, in most organizations for many years … many C-level executives have been strongly discouraged from implementing anything other than the minimum security required by law.<\/em><\/p>\n

\"don't<\/a>The survey also showed a communications breakdown between the IT Pros and management. Nearly one in five respondents admit that they do not have, or don’t know<\/strong> if they have, a policy<\/strong> to make sure that former employers and contractors can no longer access systems after leaving<\/strong> the organization according to the article.<\/p>\n

The survey also found that current employees are also a concern. The InfoSecurity<\/em> article says that almost 25% of employees surveyed said that they work in organizations that do not change their service and process account passwords within the 90-day<\/strong> time frame commonly cited as best practice by most regulatory compliance mandates. Lieberman pointed out that users who run with elevated privileges can introduce all sorts of IT headaches by downloading and installing applications, and changing their system configuration settings. CEO\u00a0Lieberman warned that an organization would be wise to strictly control and monitor the privileged actions of its users by:<\/p>\n

    \n
  1. Get control over privileged accounts<\/strong>. Start by generating unique and complex passwords for every individual account on the network \u2013 and changing these passwords often (no more shared or static passwords).<\/li>\n
  2. Make sure you\u2019re securely storing current passwords<\/strong> and making them available only to delegated staff<\/strong>, for audited<\/strong> use, for a limited time<\/strong> (no more anonymous and unlimited privileged access \u2013 for anyone).<\/li>\n
  3. Automate<\/strong> the entire process with an enterprise-level privileged identity management approach. Mr. Lieberman argues, \u201cwhen users exhibit poor behavior while logged into their powerful privileged accounts, you can be immediately alerted and respond to the threat.<\/em>\u201d<\/li>\n<\/ol>\n

    \"half-life<\/a>Mr. Lieberman told InfoSecurity<\/em> that In the wake of the Edward Snowden<\/a> \/ NSA<\/a> scandal and the Target breach<\/a>, one would think that corporations would feel that minimizing the insider threat and the attempts of sophisticated criminal hackers to groom those with privileged accounts would be of tantamount importance. But, Lieberman cited a \u201chalf-life mentality of opening the pocketbook for security investments immediately after a data breach occurs, but then diminishing back to basic security after a few months.<\/em>\u201d<\/p>\n

    rb-<\/em><\/strong><\/p>\n

    When an employee leaves the company, it\u2019s imperative to ensure that he or she is not taking the password secrets that can gain access to highly sensitive systems. <\/em><\/p>\n

    To back this up, Verizon\u2019s 2013 annual Data Breach Investigations Report<\/a> says that more than three-quarters (76%) of network intrusions relied on weak or stolen credentials \u2013 a risk that Verizon describes as \u201ceasily preventable\u201d.<\/em><\/p>\n

    Creating Privileged Accounts:<\/em><\/p>\n