When you see one of those cybersecurity stories about how an ex-employee hacked a company with terrible consequences, do you think that could never be us? Or do you think, I’m glad we don’t have anyone like that around!
Many companies are exposed to the former insider risk, they, fortunately, haven’t been tested by a bad employee. Last year, a Pennsylvania man was sentenced to more than a year in prison for “hacking” remote water meters at his company. Local municipality customers couldn’t send out their bills because the water meters weren’t reading anything. This “sophisticated hacker” still had credentials to the water meters of his former employers. He logged in and performed a variety of configuration changes to mess up the meters. Even though he was fired the company didn’t think to change the passwords to any of the base stations. The ex-employee telneted in from his home computer with existing credentials.
You may think that your employee off-boarding process is much better than that. But the reality is that employees may have 25 credentials or more issued by your organization. It is difficult to get rid of them all. I was recently reviewing the access controls on the servers of a client of mine who had good security controls. They still had a former employee enabled on one of their servers. Even though they removed his credentials in the many other places. This is a client with strong security practices and even an off-boarding checklist. Imagine what the situation is for organizations with less formal processes!
Additionally, managing IoT credentials is very difficult. Because there are so many devices and often not under central control, when an admin leaves, it can be difficult to change credentials in all of the locations. Also, in an IoT system each device has different sets of credentials for integration with different local and cloud-based systems. If your ex-administrator knows these credentials then all of these have to change.
We have identified four actionable steps that will help your organization improve its cybersecurity posture as it relates to identity.
- Disable ex-employee accounts. This one is so obvious but somehow, companies miss it. As soon as an employee leaves, all of his or her accounts should be turned off. Especially those accounts that can be accessed remotely. Organizations often construct a departure checklist with all of the accounts that an employee has. If you don’t have one, you should.
- Change system passwords upon administrative employee departure. When your administrative employees leave, do you change the shared passwords on all infrastructure and devices? Good chance that your organization doesn’t. If those devices are Internet facing or the ex-employee can VPN in then you could be next for a humiliating headline!
- Audit authorized VPN users. Many other mistakes can be caught by having strong controls over your authorized VPN users. These are the users that can access your network and systems remotely. If you do a good job making sure that only authorized users can VPN in then you can reduce your risk of ex-employee attack. Make sure that your tech support team checks for active employment before enabling or re-enabling access to your VPN. Yes, this attack really has been successful.
- Use Privileged Access Management (PAM). PAM is a tool for managing the accounts in your organization that have administrative access to important systems. These tools can allow secure access to all authorized employees without forcing them to remember many passwords. They can allow for multiple people to access the same account but who accessed the system is audited. When employees leave, they can be turned off on the PAM system without causing a disruption to operations for each individual system.
Where to learn more?
If it seemed that we just scratched the surface for how to secure IoT identity then you are right! We are about to release a white paper in conjunction with Beyond Trust about managing identity for your IoT system. Stay tuned for its imminent release.
But you don’t need to wait for the white paper to learn more. Next Thursday, September 13, Fractional CISO and Beyond Trust will be hosting a webinar on The 5 Crazy Mistakes Administrators Make with IoT System Credentials. Yes, we will cover the threat from ex-employees. But you will have to tune in to find the other four crazy mistakes.
For help with your cybersecurity strategy and execution contact us at Fractional CISO. We’ll be happy to help you get on a path to better cybersecurity decision making.
This article originally appeared on the Fractional CISO blog.
Rob Black, CISSP, Founder and Managing Principal of Fractional CISO
Rob Black, CISSP is the Founder and Managing Principal of Fractional CISO where he helps organizations improve their cybersecurity posture. Rob has extensive experience in cyber security, anti-fraud, Internet of Things (IoT), web services and cloud solutions. He has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. Rob received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP). Rob is the inventor of three security patents. He regularly speaks at conferences and blogs about IoT security.