Cybersecurity Tip: Deactivate Unnecessary Credentials to Shut Down Security Vulnerability

One of the fundamentals of securing an organization’s systems and facilities is following the principle of least privilege. This means limiting an individual’s access to the organization’s devices, programs, information and facilities to the minimum they need to carry out their job duties. Adhering to this is easy if employees never leave the organization nor change roles.

Obviously, the reality is that employees do leave employers, change roles and take extended leave. Keeping the list of active employees and the systems to which they have access up to date requires attention and redundancies. If unnecessary credentials are left active, the system is vulnerable to malicious access from former employees and threat actors.

This circumstance has unfortunately been used to gain access to an MCIT member’s network. It resulted in MCIT’s largest cyber claim to date in terms of dollars: $1.3 million in total, $430,000 of which was covered by MCIT, leaving the county responsible for $850,000.

Steps to Keep Access Current

When permissions are set up, they should be time bound where appropriate with automatic expiration dates, especially for temporary roles, contractors/vendors or elevated permissions. Managers should maintain a list of permissions for each of their team members. And managers should regularly review access rights for their direct reports and make appropriate adjustments as necessary.

As part of the organization’s off-boarding process, Human Resources or the individual’s manager should be required to alert IT to deactivate the individual’s access to programs, systems and devices. The manager’s lists of permissions should make this easy.

For employees who are on extended leave (not just a few weeks of vacation or medical leave), an employer may want to deactivate credentials to limit the threat landscape. The accounts can be re-established when the employee returns to active employment.

When an individual moves to a different position within the organization, the manager should identify which devices, programs and systems the employee needs and ask IT to activate new accounts and deactivate those that are no longer pertinent for the individual.

Third-party contractors should be subject to the same access controls with clearly defined start and end dates. An organization should assign an individual regularly to review contractors’ permissions.

The organization should also have a process for circumstances that require immediate security concerns and deactivating access.

Besides deactivating credentials, the employer should develop a process to allow for proper archiving of information such as emails or work product before accounts can simply be deleted.

Technical tools can be part of the solution to ensure that the active directory (those accounts that have current access to devices, systems and programs) is kept current. These tools have the ability to track logins and access attempts; generate reports for audits or compliance; and identify suspicious behavior, such as login attempts at odd hours, multiple failed login attempts and login attempts from unfamiliar devices or locations.

Conducting an audit of the active directory regularly (e.g., every three to six months) can help catch accounts that were not reported to IT to deactivate or were accidentally overlooked.

Technical tools are perhaps best used as a backup for solid communication and planning among leadership, Human Resources and IT.

Document Changes

Changes to account access should be documented for many reasons. Most notably, threat actors may attempt to make changes, so documenting changes allows an organization to know which modifications were made, when and why.

Additionally, documentation may help speed up troubleshooting. If an update or change presents any issues, the organization can easily determine the changes that were made and when in the event it needs to revert back to previous settings or configurations.

Lastly and perhaps most importantly, documenting changes provides a level of accountability so that they can be tracked back to an individual who can and should indicate reasons for any adjustments and when they took effect.