How Good is your Employee Termination Policy?
A former employee of Baltimore Substance Abuse Systems Inc. compromised his boss’ computer during a presentation and replaced some of the content with pornographic material. It is customary to have policies in place that require terminated employees to be escorted out of the building by either a security officer or member of upper level administration.
However, when it comes of terminating employees, this case highlights the importance of having a solid corporate termination policy. The actions of this former employee embarrass the company during a presentation but what if he would have deleted business critical data and trashed the backups? Or copied the business critical data (i.e. financial data, client credit card data or employees’ information) and sold it to the highest bidder?
It is important to have a policy for limiting access to corporate technical resources after an employee has been terminated. Some basic step include: disabling user account(s), changing or locking all the passwords the former employee had access to, disabling corporate e-mail access and locking down access to their personal workstation.
An email from HR using a pre-configured template to all key stakeholders with a mean of reporting back to HR, confirming the work has been completed, would help prevent this kind of malicious activity. Of course, the account(s) should be monitored to detect potential unauthorized access. Do you have similar horror story to share?
[1] http://www.dailymail.co.uk/news/article-2006962/Fired-IT-manager-hacked-companys-swapped-boss-digital-presentation-porn.html?ito=feeds-newsxml
[2] http://www.baltimoresun.com/news/maryland/baltimore-city/bs-md-ci-computer-hacking-sentence-20110621,0,857376.story
[3] http://nakedsecurity.sophos.com/2011/06/22/hacker-ceo-presentation-porn/
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
Comments
HackDefendr
Jun 23rd 2011
1 decade ago
Last time I checked, a tech's average stay anywhere is about 18 months. That's why most of us are "Consultants" now.
.
PC.Tech
Jun 23rd 2011
1 decade ago
Old Dad
Jun 23rd 2011
1 decade ago
One a persons role within the organisation changes, so should their access levels.
Far too often I've seen people being allowed access to systems that are far out of their current scope after doing a particular job to cover mat(pat)ernal leavers.
BloodyL
Jun 23rd 2011
1 decade ago
I'm calling b.s. on that one.
Pevensey
Jun 23rd 2011
1 decade ago
I hope you at least look the person in the eyes when you do that. You wouldn't happen to be Mr. Burns, would you?
While you seem to take a HUGE amount of physical security in your termination procedures, you let slip that you actually have very poor internal security on the technical side.
If you have to change remote access IDs and passwords, that means you're using some form of shared authentication creds (username & password that more than 1 person has access to). Sure, you might take the required precautions when someone is terminated, but what about when you have a bad actor that is currently employed? They can use the shared authentication to get in & you would have no idea who the bad one is.
Shared authentication should never be used. If there are cases where you need to have a special account as a backup, you have two people form the password in turn, then put the two halves in a sealed envelope that is in secure storage.
JasonTracy
Jun 23rd 2011
1 decade ago
Pevensey:No b.s. here whatsoever. Where there is an inventory of 10+million USD of technical parts, you take preventative action to protect that inventory as well as protection of the internal network and other employees. We have never had a problem to date. Would you rather have us terminate the employee and then give them a few hours to get their "things" together? I think not.
Old Dad
Jun 23rd 2011
1 decade ago
The cops will do pretty much anything for anyone that pays them and has some level of standing within a community (small business owner is good enough). The U.S. is quickly gaining 3rd world banana republic status, in case you haven't noticed. Complete with an East German style police state - 50% of the population employed in one way or another (police, medical responders, firemen, postal workers, meter readers, teachers, social workers, children, etc.) to spy on the other 50%, most of whom are unemployed.
Jamison
Jun 23rd 2011
1 decade ago
Phil
Jun 23rd 2011
1 decade ago
I have full "keys" to the city and I was told this past Monday that I am no longer needed after next Friday. Because of my hours I was told prior to any other sysadmins being on site, I was permitted to leave the GMs office and return to work. I would have expeated my accounts to have been locked, and to be escorted out.
Obviously I must have high moral values.
Also, there was another sysadmin told the same thing on Tuesday, he still sits beside me.
Oh I almost forgot to meationed the accounting staff were gased too. They're too still siting at their desk with their usual level of access.
Do you think our employer dropped their pants?
Maybe they don't care as our employer was bought by a larger player.
k.o.
K.O.
Jun 23rd 2011
1 decade ago