Employers Forgetting to Remove Access for Ex-Employees? 22
This devilish Anonymous Coward asks: "Quite by accident, I misdialed the other day and wound up in the voicemail system of my ex-employer, late of some 4 months now. Curious to see what would happen, I punched in my password, and lo-and-behold, I still had access to voicemail. Curious, I checked to see what I still had access to, and discovered that my shell account, Web logins and even the root password still existed as they did when I worked there. While I would never dream of trying anything funny (since they could pretty obviously track it back to me), I'm wondering how prevalent this lax attitude is in today's workplace, particularly in Silicon Valley where employees skip from job to job like mad. I'd bet that way too many Slashdotters still have access to things months or years after they left employment... including some pretty secure things." It's all a matter of the communication channels between the IT Department and Management. Better communication channels means less chance of this sort of security hole happening...or does it?
Happened to me (Score:1)
It wasn't me, but that doesn't mean they weren't hacked either, as there was one other guy who was a walkout like me and just might have been ticked enough to do it. Plus Baylor didn't know a root prompt from a hole in the ground. One day when I came in and restarted the RADIUS server (it had died during the night), he asked "How did you fix a machine in my office while you were sitting in your office?"
Gone but not forgotten (Score:4)
In places I've managed one of my first changes has been to insist that HR put a message on a email distribution list every time a position is created (note this is often well before someone is hired but it gives my staff time to determine the future employee's needs), upon a hiring, and the instant they believe someone may or will be leaving. In these communications HR must specify dates and the appropriate managers to contact for direct instruction. I also put an emergency procedure in place for 'rapid-separations' where all of a person's accounts are identified, marked for immediate back-up, and locked down until the situation is clarified.
I generally drive these policies & procedures home by holding a meeting between HR, IS, and Legal with all of us asked to brainstorm on the awful things that could happen should we drop the ball on this. One can usually come up with some very nasty scenarios pretty fast. The folks involved also generally know a few real-life stories we've seen or heard of we can recount just to completely scare everyone into following these policies seriously.
What can really force these policies is privacy laws. Even though many would think that communications to someone via a companies resources would be properly a companies property this changes a bit once the person is no longer an employee. I'm not a lawyer but I do know that in most places one is on shaky ground continuing to allow the former employee's name to remain active in the email system after a reasonable amount of time. To have someone then go through a former employees communications, specifically any that are received after the employee is separated from the company, is very dangerous and just asking for a nasty lawsuit.
My own solution to moved-on employees has been to place an auto-responder on the email account indicating the person is no longer with the company, possibly listing the other person(s) who are now handling the former employees responsibilities, and referring all other communications to HR. Generally this will do for up to a year after which the account just becomes another generic dead one. For voicemail a similar procedure is used by closing the person's inbox and replacing their old greeting with a new one giving the new numbers to contact for various services.
Of course one can avoid many of these problems by encouraging the use of functional email & voicemail accounts. With these many messages go to "Department - Function" instead of individual persons. One can't (and oftentimes shouldn't) get rid of personal email accounts but by keeping much of the purely administrative email on the functional address list does. Utilizing this duplicate system can cut down enormously on mail-list administration and general administrivia.
Another problem I commonly run into is the 'legacy' account where someone has moved on but another simply assumed their accounts, oftentimes their replacement. This sort of thing leads to really confusing situations where one isn't sure who is using what accounts, which are active, and which are linked. This can become particularly problematic when trying to implement unified login systems.
Finally there's the nightmare of IS staff leaving. Oftentimes we know waaay too many passwords, particularly the 'deep-mojo' ones. To help expedite these transitions I generally try to keep a list of all the primary accounts (passwords stored seperately in a secure place)and a instruction sheet on changing them all at need. It's also simply good practice to discourage users from giving passwords to IS staff and simply requiring them to enter themselves when needed.
Matter of policy (Score:2)
I've been at enough places to say that a lot of procedure indeed has to do with policy. If it isn't written down and enforced, more often than not it isn't executed.
Yes, things like this do happen, often because its not written in stone. You might think about changing the root password, but then you're just lazy, too comfortable typing it in during the blink of an eye, or too confident that since nothing has happened yet, nothing will happen.
Of course, we all know what happens when you do that - It leaves the potential for something to happen. This is why the manangerial staff that does know what they're doing gets on your case. Because unless you really care (and yes, plenty of IT staffers who give a damn, do), it might not get done.
-----
SSH with keys (Score:3)
Is 50%pa turnover high? (Score:2)
But since staff are given full afterhours access to the building's main doors and our floor on the day they arrive (I was!) I think that outgoing IT security is the least of our worries...
"Why is this filing cabinet empty?"
*sigh* (Score:1)
Re:Insist your accounts are deleted (Score:1)
Sometimes, continuing access is on purpose (Score:1)
What it means. (Score:2)
For all the toys, code, and technology us IT people get to 'play' with at work, the bottom line is all too often forgotten: IT is there to provide computing facilities for a company and to maintain them appropriately.
If the IT staff left a hole like this, they should be yelled at.
Curiously enough, this problem is especially prevalent at shops WITHOUT senior type systems people. Lots of kids.
It's funny how hacker kids seem to know everything about security, but put them in an IT department, and they 'forget' all kinds of things like voicemail, door entry codes, leaving terminals logged in. Of course, they are REALLY busy fuckign with all the unix boxes 'just in case'.
Re:have hr email hiring/firings (Score:1)
Might I recommend a silenced pistol, after they get home of course... :)
have hr email hiring/firings (Score:1)
they hire or fire someone. It is basically someones responsbility in our group to watch
for this email and add/remove accounts as necessary. If an admin or network person leaves
that might have critical passwords.. we immediatly
change all passwords in the company and remove all
access before they walk out the door.
Has worked pretty well for us so far.. Of course
our environment is still like swiss cheese when
it comes to security.
Malice95
Re:Sometimes, continuing access is on purpose (Score:2)
Then they should say so.
/.
Appropriate responses (Score:3)
Email is more marginal - if we are informed of a leaver, email is disconnected from the external gateway (internet email inbound will bounce) but is left in existance for a few weeks - many managers will have access to their leaver's account to clear up any outstanding stuff in the system. Unless requested otherwise, the email account is deleted when the network account is deleted.
Network accounts are disabled when a given user leaves (again, provided we are notified!) In addition, we audit account use - any Network account that hasn't been used in two months flags up an alert, and we contact the department to ask why.
Obviously, all of this applies to ordinary user accounts. for Techie accounts, it becomes more interesting. Email and network are disabled, as above, and any remote access keys are disabled too. However, there are three possibilities.
Any user accounts he held have their passwords disabled, but root accounts are left to expire and be cycled normally; Unless given a good reason to assume otherwise, this techie may want to look for references from us, possibly even another job in the future.
Unfriendly does not have to mean removed for cause; redundancy is equally valid. In this case, all root passwords (even ones he theoretically didn't know) are changed at once; account lists are searched for dubious accounts with either permissions they shouldn't have or with access entries matching the techie's pc.
nightmare scenario; User has been expelled from the building for cause, has resigned for reasons that are likely to indicate resentment of the company or individual managers (contributatory dismissal for example) or knew he was being downsized in advance and wasn't happy about it.
This has to be any sysadmin's worst nightmare - the system is totally screwed. any or all servers may be rootkitted; timebombs or backdoors may exist in any utility or system program, backups may be corrupt, deliberate errors added in data that may take years to identify and fix.
Procedure if this ever happened would be extreme - backup server (normally used for development testing) would be backed up then completely reinstalled from original media; new accounts set up and validated, software reinstalled and databases transferred. Backup server would become live server, live server pair would go offline and suffer similar indignities, after forensic examination by contract experts; user would be carried on payroll and his user accounts left untouched until the whole of SAP R/3's user code was validated by the DEV team; and even then, you could never be 100% sure.
--
Insist your accounts are deleted (Score:3)
It could be very easy for a disgruntled sysadmin to blame hacked system on you, when you aren't there to defend yourself.
At the least, it could mean a bad rec for you when you try to find another job, or worse, you could expose yourself to a lawsuit.
If you aren't sure your access is going to be cut off, then obtain proof that you attempted to have it removed by sending a letter to the appropriate mgmt body.
Equally disturbing... (Score:1)
Note to self: try sending email to old address, see if it bounces....
Re:Some companies are concerned (Score:2)
Monitor HR (Score:1)
I could never trust to be "kept informed" of recent firings, etc. so I just wrote a script that monitored certain aspects of the human resources employee database and diff'ed it. You can be sure of one thing: the first thing Management does upon termination of an employee is to stop any future salary disbursements!
Communication Breakdown (Score:1)
However, the worst problem I've had was when I got a call from the manager at a remote site called and said Employee A was let go and took it pretty hard, so could I please change her passwords etc. Sure, no problem. The next week the boss calls again and says they are having lots or problems with lost database info. I restore most of it from the backup tapes, but not all. About a month later I'm over in that office to replace a bad NIC and ask for Employee B (who did most of the work in the database), to commiserate about the database problems. I find out she got let go at the same time that Employee A did, but no one thought it was an issue since she didn't leave in a huff, so why should they tell me? They just left her logged in all the time, so they could learn how to use the DB. None of them could understand why I was so cranky at them.
Pretty lax administration.. (Score:1)
I've heard of other sys.admins who like to keep old employees email accounts and such around, just to see what mail they get. Whenever I leave a job, I promptly subscribe my old email address to every spambot I can find..
we NEVER disable accounts (Score:1)
Everything is like in suspended animation - passwords the same as the day people left, all their files are still out there, etc.
I've repeatedly asked my bosses over the years why we can't get rid of this old junk, and each boss has told me that we can't inconvenience the users. They MIGHT need instantaneous access to this old stuff someday. At least that's what the users keep saying to us.
Passwords here are likewise very static. Even the root password, which is used by many users for "convenience sake", is still the same as it was years ago. What a mess and I'm making no progress in changing the mindset here and this is a Fortune 100 corporation!
The database "sa" password is so engrained - it is coded in programs, scripts, etc. that it is really virtually impossible to change. A million things would break and guess who'd bear the brunt of that ?
And you think you had a mess of a situation...
Re:Gone but not forgotten (Score:1)
(S)he's such a valuable employee (eg only geek in the shop who knows how the server works) that on consideration mgt decides to overlook the gigabytes of pr0n -- but employee finds accts frozen and quits in a huff. Next day server crashes and outside consultants take a week to rebuild it.
Employee given "final warning" and told to return to work -- finds accts frozen and sues for harrassment.
Of course IANAL, nor even an HR person....
Some companies are concerned (Score:2)
Both members of our two person IT department (I'm a finance geek) were recently found to violating several major company policies. Management decided the infractions were too serious to keep them on board. Our biggest concern after the decision was made was how we could secure our systems (internal network, internet site, ERP system, PBX system, etc.).
While the two were separately being told of the decision, several trusted IT consultants were in disconnecting our T-1s, disconnecting modems, and changing system passwords. By the time the two were escorted from the building, our systems were secured.