Nobody ever likes being fired from a job, but some folks take it worse than others.
In May, a former part-time remote employee working with a New York Credit Union used her access to delete some 21GB of company data. According to the reports, Juliana Barile wiped out some 200,000 files containing sensitive information, including mortgage applications, after being fired from her position. Barile has now pleaded guilty and is awaiting sentencing that may reach up to 10 years and include a fine.
This case highlights a laundry list of challenges that organizations face concerning insider threats. At the top of the list is: how did Barile retain her access to the server after she was let go?
Mismanaging the JML Lifecycle
The unfortunate answer is that someone had requested that her access be revoked, but the outsourced IT department had not gotten around to taking care of it. Two extra days of access post-firing was enough for Barile to access the data for 40 minutes and do her damage.
We do not know what access was cut off before the attack (if any). But whatever the status was, Barile was far from being fully offboarded. A more accurate description would be that she was partially offboarded as she retained at least some of her access.
This was clearly a breakdown in the Joiner-Mover-Leaver (JML) Lifecycle that is all too common. As employees transition through the JML Lifecycle, IT departments face a significant challenge in making sure that everyone has the access they need to do their jobs.
No more, no less. All in line with the Principle of Least Privilege.
The JML process is time-consuming and prone to delays and mistakes, especially as organizations continue to scale in both their headcount and the number of cloud services they are using.
Getting the “Leaver” part right is essential for security since a leaver may have the most incentive to cause trouble on their way out.
This is why whenever an employee is “separated,” their access to any and all organizational assets should be cut off, especially when it comes to sensitive assets like financial and customer data or IP.
Manually managing offboarding and ensuring that all access has been completely cut off is very difficult. Larger organizations often lack the visibility to know exactly what each employee has access to at any particular time, complicating speedy and effective changes to access.
More Access, More Problems
How/why did she have access to such large amounts of data? After all, she was only a part-time employee who was working remotely.
There is no justifiable reason that a person like that would need access to everything from loan applications to board meeting minutes. And yet, Barile had access to read this data and also delete it.
Given these conditions, how could this organization have taken steps to have prevented this from happening?
3 Tips for Mitigating Insider Threats
The Credit Union is hopefully undergoing a review process to understand what allowed this ex-employee to have such a painful impact. This may include a conversation with their IT provider about prioritization, among other issues.
Any conversation should start with the following best practices any organization can benefit from.
1. Remove Access at the Right Time
This is JML 101, but due to scale and organizational lethargy, it is still not handled well in far too many cases.
Since the stakes are potentially high, organizations should adopt tools that will synchronize with HR systems and kick off the offboarding when the time comes to let an employee go. Ideally, your organization is using an IDP that will make cutting off their access a faster, centralized process instead of having to remove them one by one.
If an employee is let go, they must have their permissions removed as fast as possible to prevent them from taking company data with them, or worse.
Automate here as much as possible and be sure that the person responsible for removing access is properly notified. This is not a notification that you want to get lost in someone’s email.
2. Restrict Privileged Access
Tightly control what users are able to access and what they are allowed to do with that access.
Utilize adaptive controls such as restricting who is allowed to delete data. Consider making certain types of data read-only.
Keep to the Principle of Least Privilege as tightly as possible. If the employee does not need access, then do not give it to them in the first place. If they need it later, then they can always request access.
3. Monitor or Deactivate Inactive Accounts
Your organization probably has a fair number of zombie accounts. These inactive accounts have either been suspended because a person might be on parental leave or belonging to former employees and was never gotten rid of.
These sorts of accounts can be very risky under different scenarios. Former employees can log back in with their old credentials to access resources. Another possibility is that hackers can compromise legitimate credentials and use an inactive account — that is likely not being monitored — to carry out their attack.
Get rid of as many of these accounts as possible and monitor those that you choose to retain to avoid any unwelcome surprises later.
The Importance of Good Security Hygiene
The damage done in this story could have been avoided if the organization had followed the basics of good cybersecurity hygiene. But the same could be said for the vast majority of security breaches.
Reducing our threat surface by limiting what any one person can access and improving organizational efficiency processes can go a long way in mitigating damage from the vast majority of attacks — no matter if they come from inside or outside your organization.