Posts Tagged ‘Lockdown’


November 17, 2011 Leave a comment

One of the nice things about being in a senior position within a small company is that, every so often, you come across a situation that happens so rarely that no documentation nor process exists, and it’s entirely your responsibility to work out from scratch what needs to be done.

Being the most experienced within the company on our infrastructure and security, it fell to me to write the procedure for ensuring that any individual leaving the company is locked out as securely as possible. As I write this, less than a day away from leaving my job at Acme, the person leaving the company – the person who needs to be locked out – is myself.

The standard technical parts are easy enough: change all admin passwords, change every single password in the Password Database (Yes, it will take a while. Yes, I did advise against it. No, I can’t help. Because then you’d have to tell me the new passwords!). But two major unknowns exist; one legal, one social.

Legal Lockdown

The legal part is relatively simple: make it clear to the soon-to-be-ex employee (STBEE) that they are no longer entitled to access the company’s systems by spelling out, in as much detail as required, that their access is revoked to:

  • Any company system
  • Any system run by the company on behalf of a client
  • Any system run by a client whose access has previously been a privileged right of the company

except for those rights granted to any other anonymous or generic individual; this allows, for example, a STBEE to visit a former client’s website, but not to use any security credentials on that site that may have been supplied as a part of their employment.

It may be advantageous to get the STBEE to sign a document agreeing to the above, just to ensure their understanding is complete.

Social Networking

The social part is where the rabbit hole opens, and specifically social engineering. A company can spend all its time locking an individual out, but there is always the risk (depending upon the nature of the departure) of the user contacting third parties claiming to be acting on behalf of the company.

  • How do you protect against a email being sent to your hosting provider, designed to match the style of your infrastructure manager but cancelling a client’s service?
  • How can you stop a rogue employee contacting the IT department of your biggest client and creating a new account that acts as their backdoor?

The only chance that a company has to counter this is to make sure that the other usage of social is taken into account: communication.

  • Ensure that all employees, clients and suppliers are aware that the individual is no longer an employee.
  • Ask that any supplier always confirm any out-of-the-ordinary request, either by email or phone.
  • Ensure that any change to any configuration or payment is fully understood.

It’s not perfect; time after time, social engineering has been shown to be one of the most dangerous types of hacking in existence and at the same time the most difficult to protect against. But through communication there is still at least a chance.