Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Four Steps to Securing Your IoT Identity from Employees

September 11, 2018

  • Blog
  • Archive

blog-four-steps-to-securing-your-iot-Identity-from-ex-employees.jpg

When you see one of those cybersecurity stories about how an ex-employee hacked a company with terrible consequences, do you think that could never be us? Or do you think, I’m glad we don’t have anyone like that around!

Many companies are exposed to the former insider risk, they, fortunately, haven’t been tested by a bad employee. Last year, a Pennsylvania man was sentenced to more than a year in prison for “hacking” remote water meters at his company. Local municipality customers couldn’t send out their bills because the water meters weren’t reading anything. This “sophisticated hacker” still had credentials to the water meters of his former employers. He logged in and performed a variety of configuration changes to mess up the meters. Even though he was fired the company didn’t think to change the passwords to any of the base stations. The ex-employee telneted in from his home computer with existing credentials.

You may think that your employee off-boarding process is much better than that. But the reality is that employees may have 25 credentials or more issued by your organization. It is difficult to get rid of them all. I was recently reviewing the access controls on the servers of a client of mine who had good security controls. They still had a former employee enabled on one of their servers. Even though they removed his credentials in the many other places. This is a client with strong security practices and even an off-boarding checklist. Imagine what the situation is for organizations with less formal processes!

Additionally, managing IoT credentials is very difficult. Because there are so many devices and often not under central control, when an admin leaves, it can be difficult to change credentials in all of the locations. Also, in an IoT system each device has different sets of credentials for integration with different local and cloud-based systems. If your ex-administrator knows these credentials then all of these have to change.

We have identified four actionable steps that will help your organization improve its cybersecurity posture as it relates to identity.

  1. Disable ex-employee accounts. This one is so obvious but somehow, companies miss it. As soon as an employee leaves, all of his or her accounts should be turned off. Especially those accounts that can be accessed remotely. Organizations often construct a departure checklist with all of the accounts that an employee has. If you don’t have one, you should.
  2. Change system passwords upon administrative employee departure. When your administrative employees leave, do you change the shared passwords on all infrastructure and devices? Good chance that your organization doesn’t. If those devices are Internet facing or the ex-employee can VPN in then you could be next for a humiliating headline!
  3. Audit authorized VPN users. Many other mistakes can be caught by having strong controls over your authorized VPN users. These are the users that can access your network and systems remotely. If you do a good job making sure that only authorized users can VPN in then you can reduce your risk of ex-employee attack. Make sure that your tech support team checks for active employment before enabling or re-enabling access to your VPN. Yes, this attack really has been successful.
  4. Use Privileged Access Management (PAM). PAM is a tool for managing the accounts in your organization that have administrative access to important systems. These tools can allow secure access to all authorized employees without forcing them to remember many passwords. They can allow for multiple people to access the same account but who accessed the system is audited. When employees leave, they can be turned off on the PAM system without causing a disruption to operations for each individual system.

Where to learn more?

If it seemed that we just scratched the surface for how to secure IoT identity then you are right! We are about to release a white paper in conjunction with Beyond Trust about managing identity for your IoT system. Stay tuned for its imminent release.

But you don’t need to wait for the white paper to learn more. Next Thursday, September 13, Fractional CISO and Beyond Trust will be hosting a webinar on The 5 Crazy Mistakes Administrators Make with IoT System Credentials. Yes, we will cover the threat from ex-employees. But you will have to tune in to find the other four crazy mistakes.

For help with your cybersecurity strategy and execution contact us at Fractional CISO. We’ll be happy to help you get on a path to better cybersecurity decision making.

This article originally appeared on the Fractional CISO blog.

Rob Black

CISSP, Founder and Managing Principal of Fractional CISO

Rob Black, CISSP is the Founder and Managing Principal of Fractional CISO where he helps organizations improve their cybersecurity posture. Rob has extensive experience in cyber security, anti-fraud, Internet of Things (IoT), web services and cloud solutions. He has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. Rob received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP). Rob is the inventor of three security patents. He regularly speaks at conferences and blogs about IoT security.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 25, 2021

Customer Tips & Tricks: Remote Support for Android

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.