topic Re: On the other side of privilege removal in Career Discussions

On the other side of privilege removal

ericgeater — Tue, 24 Nov 2020 16:41:51 GMT

I'm about to amicably leave my current employer. My accounts are tied to several resources. I would prefer to be locked out of everything upon separation, but this is unrealistic. I would be satisfied to be locked out of all external connectivity.

For reasons I cannot explain easily, I'm certain this will not occur on my request. But I feel like I am entitled to the nonrepudiation which a lockout would provide. Have any of you faced the desire of remaining blame-free upon separation? How did you convey this importance when leaving?

Re: On the other side of privilege removal

Xenophore — Tue, 24 Nov 2020 18:13:53 GMT

Absolutely. In the places I've left amicably, I made sure that any and all of my privileged access was removed or transferred to others so that my accounts could be wiped completely.

Re: On the other side of privilege removal

gidyn — Tue, 24 Nov 2020 18:34:39 GMT

Change the passwords to a random string that you don't keep a record of, and let them know that.

Re: On the other side of privilege removal

ericgeater — Tue, 24 Nov 2020 18:37:07 GMT

I will not be changing anything any more. It is not my responsibility to change anything any more.

Re: On the other side of privilege removal

dcontesti — Tue, 24 Nov 2020 19:20:00 GMT

Double edge sword this one.

If it is amicable do you have reason to believe they will come after you? If, ask them for a document stating that you are not responsible as you have notified them of all the accounts and that you have requested all remote access be terminated (That is of course unless one of these accounts has remote access).

This is why I tell my staff to create generic accounts for all application(S) or re-use the generic account. Also that the password should be set by the admins (Not you) and put into a firecall process (the password is only used for emergencies and immediately changed after use).

However, if you believe things will be okay (have they been hacked, can they be hacked, are they in a target group), then cross your fingers nothing happens between your leaving and the next time the password is reset (huge assumption that there is a policy to change all passwords in x days).

Enjoy the new job and try not to worry about what may be.

Re: On the other side of privilege removal

Steve-Wilme — Wed, 25 Nov 2020 09:42:41 GMT

I encountered a similar issue, with having to ensure all my accounts were removed on my last day with an employer and all my IT equipment and documentation returned. Now it was supposed to be my line managers responsibility, but I ended up planning doing it myself so I'd have an audit trail of the actions I'd taken and positive confirmation.

Re: On the other side of privilege removal

CISOScott — Wed, 25 Nov 2020 16:08:41 GMT

One of the ways I have handled this is to have a "check out sheet" that shows where I turned in my key fobs, badges, vpn tokens, etc. to. It was usually signed off by a responsible person in each area. BEFORE I turned it in to the final person I made a copy for my records so that I would have proof that I turned everything in.

Hopefully your place had good policies around this. I do not allow generic accounts where I work except for in very rare cricumstances and have good procedures around them. If someone needs access they should have their own access (not talking about service accounts). If I have to perform an investigation I do not want people to use the "shared" account or shared password excuse.

If you have concerns that someone might use your accounts because it is easier, then ensure you close any loopholes you can. If they are not willing to lock your account, lock it yourself through 3 failed login attempts. Only do this if it would not cause any problems. By doing this you should know that your account was locked at the time of departure. Unless of course if your account has some running process or other business process that it would cause havoc by locking it then don't do it, but then again they shouldn't be running the business this way. They would be able to unlock it of course, but then there should be a log of that happening, which you shouldn't have had access to anymore after you leave.

In the end if they do not terminate your account and someone does continue to use it, there is not much you can do except to ensure that there are no remnants hanging around on your personal devices like an email login, ensure you delete any apps you installed on your phone for MFA/2FA or other business processes. Remove any vpn software used for company business if you had to work from home and used your own equipment (and yes I do realize this does happen). Remove any favorites/bookmarks to company sites from your browsers. If you are still worried then keep good records of your termination/exit process. And I will add this caveat for others as I don't expect you would try this, but DO NOT try to login after you leave to check and see if they have terminated your accounts! I have heard of horror stories of ex-employees that thought they would check up and see if their former company was doing the right things in regards to terminated accounts and then have it go very badly for them when they brought up the failure to terminate their old accounts with their FORMER employer. At that point you are effectively hacking your former employer, which is frowned upon by the courts.

Luckily most places I have worked had a company issued smart id card that was tied to my login. Once I turned that in, I no longer had any access.

Re: On the other side of privilege removal

Steve-Wilme — Thu, 26 Nov 2020 09:52:38 GMT

@CISOScott Yes the organisation had good policies/practices around leavers, including a checklist to be signed off by line managers when a member of staff left, because I'd put them in place as Security Manager, however the CIO had told the rest of IT and HR to ignore established practice.

Re: On the other side of privilege removal

CISOScott — Mon, 30 Nov 2020 14:25:45 GMT

Any time an executive instructed me not to follow policies, I asked for it in writing. If they denied it to me in writing then I kept up the established process. I also followed it up with a nicely worded email that asked for clarification of the issue if they felt the policy should not be followed. If they feel strong enough to avoid doing it, then they should be able to put it in writing. I also tried to understand the "Why" behind why they didn't want to follow procedures so I could see if it was something I could help remedy.

Re: On the other side of privilege removal

rslade — Mon, 30 Nov 2020 18:56:15 GMT

> CISOScott (Community Champion) posted a new reply in Career on 11-30-2020 09:25 AM in the (ISC)Â² Community :

> I also followed it up with a nicely worded email that
> asked for clarification of the issue if they felt the policy should not be
> followed.

*Any* policy should have a policy (and a procedure) for documenting any
deviations from the policy.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
Science is an edged tool, with which men play like children, and
cut their own fingers. - Arthur Eddington
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

Re: On the other side of privilege removal

Steve-Wilme — Tue, 01 Dec 2020 08:47:21 GMT

All those things were in place, however our new CIO took the unfortunate view that everything to do with security was "absolutely delusional" and could therefore simply be ignored; a bit like staying within the IT budget (also ignored) and regulatory compliance (also ignored). When you get to the point where half the IT department leaves in a 3 month period and isn't replaced due to a CIO, the problem probably is beyond fixing.

Re: On the other side of privilege removal

CISOScott — Thu, 03 Dec 2020 11:58:20 GMT

When you have a toxic CIO like that, you need to cover your rear. That is why I like to send emails that "recap our earlier conversation" to make sure I "understood your intent". Then if they try to throw it back in your face I can refer to our previous conversation that "I emailed you about". As the system owner the CIO has every right to "accept the risk" of any decision they want to make and as the CISO I have the right and responsibility to ensure that any "risk they are willing to accept" is fully documented in a risk acceptance document. It is also my duty to fully inform the CIO/Senior management of the risks of their decisions and if they (CIO) or senior management is willing to accept the known risks I have presented to them, I document it and get them to sign it. I make sure I have emailed it to them to sign and return to me. If they refuse to sign it, I send a couple of follow up emails so that I have it documented that I made every reasonable attempt to get them to sign it. That way I am as protected as I can be.

If senior management is OK with a toxic CIO, I then ensure my resume is up to date and I start looking for jobs with intense focus.

Re: On the other side of privilege removal

Steve-Wilme — Wed, 02 Dec 2020 13:47:22 GMT

After 9 months of doing as you suggested I took the latter option and found another job. Once you've lost a critical mass of staff you're not going to make headway anyhow.