cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ericgeater
Community Champion

On the other side of privilege removal

I'm about to amicably leave my current employer.  My accounts are tied to several resources.  I would prefer to be locked out of everything upon separation, but this is unrealistic.  I would be satisfied to be locked out of all external connectivity.

For reasons I cannot explain easily, I'm certain this will not occur on my request.  But I feel like I am entitled to the nonrepudiation which a lockout would provide.  Have any of you faced the desire of remaining blame-free upon separation?  How did you convey this importance when leaving

--
"A claim is as good as its veracity."
12 Replies
Xenophore
Newcomer II

Absolutely. In the places I've left amicably, I made sure that any and all of my privileged access was removed or transferred to others so that my accounts could be wiped completely.

gidyn
Contributor III

Change the passwords to a random string that you don't keep a record of, and let them know that.
ericgeater
Community Champion

I will not be changing anything any more.  It is not my responsibility to change anything any more.

--
"A claim is as good as its veracity."
dcontesti
Community Champion

 Double edge sword this one.

 

If it is amicable do you have reason to believe they will come after you?  If, ask them for a document stating that you are not responsible as you have notified them of all the accounts and that you have requested all remote access be terminated (That is of course unless one of these accounts has remote access).

 

This is why I tell my staff to create generic accounts for all application(S) or re-use the generic account.  Also that the password should be set by the admins (Not you) and put into a firecall process (the password is only used for emergencies and immediately changed after use).

 

However, if you believe things will be okay (have they been hacked, can they be hacked, are they in a target group), then cross your fingers nothing happens between your leaving and the next time the password is reset (huge assumption that there is a policy to change all passwords in x days).

 

Enjoy the new job and try not to worry about what may be.

 

d

 

Steve-Wilme
Advocate II

I encountered a similar issue, with having to ensure all my accounts were removed on my last day with an employer and all my IT equipment and documentation returned.  Now it was supposed to be my line managers responsibility, but I ended up planning doing it myself so I'd have an audit trail of the actions I'd taken and positive confirmation.  

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
CISOScott
Community Champion

One of the ways I have handled this is to have a "check out sheet" that shows where I turned in my key fobs, badges, vpn tokens, etc. to. It was usually signed off by a responsible person in each area. BEFORE I turned it in to the final person I made a copy for my records so that I would have proof that I turned everything in.

 

Hopefully your place had good policies around this. I do not allow generic accounts where I work except for in very rare cricumstances and have good procedures around them. If someone needs access they should have their own access (not talking about service accounts). If I have to perform an investigation I do not want people to use the "shared" account or shared password excuse.

 

If you have concerns that someone might use your accounts because it is easier, then ensure you close any loopholes you can. If they are not willing to lock your account, lock it yourself through 3 failed login attempts. Only do this if it would not cause any problems. By doing this you should know that your account was locked at the time of departure. Unless of course if your account has some running process or other business process that it would cause havoc by locking it then don't do it, but then again they shouldn't be running the business this way. They would be able to unlock it of course, but then there should be a log of that happening, which you shouldn't have had access to anymore after you leave. 

 

In the end if they do not terminate your account and someone does continue to use it, there is not much you can do except to ensure that there are no remnants hanging around on your personal devices like an email login, ensure you delete any apps you installed on your phone for MFA/2FA or other business processes. Remove any vpn software used for company business if you had to work from home and used your own equipment (and yes I do realize this does happen).  Remove any favorites/bookmarks to company sites from your browsers. If you are still worried then keep good records of your termination/exit process. And I will add this caveat for others as I don't expect you would try this, but DO NOT try to login after you leave to check and see if they have terminated your accounts! I have heard of horror stories of ex-employees that thought they would check up and see if their former company was doing the right things in regards to terminated accounts and then have it go very badly for them when they brought up the failure to terminate their old accounts with their FORMER employer. At that point you are effectively hacking your former employer, which is frowned upon by the courts.

 

Luckily most places I have worked had a company issued smart id card that was tied to my login. Once I turned that in, I no longer had any access.

Steve-Wilme
Advocate II

@CISOScott Yes the organisation had good policies/practices around leavers, including a checklist to be signed off by line managers when a member of staff left, because I'd put them in place as Security Manager, however the CIO had told the rest of IT and HR to ignore established practice.  

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
CISOScott
Community Champion

Any time an executive instructed me not to follow policies, I asked for it in writing. If they denied it to me in writing then I kept up the established process. I also followed it up with a nicely worded email that asked for clarification of the issue if they felt the policy should not be followed. If they feel strong enough to avoid doing it, then they should be able to put it in writing. I also tried to understand the "Why" behind why they didn't want to follow procedures so I could see if it was something I could help remedy.

rslade
Influencer II

> CISOScott (Community Champion) posted a new reply in Career on 11-30-2020 09:25 AM in the (ISC)² Community :

> I also followed it up with a nicely worded email that
> asked for clarification of the issue if they felt the policy should not be
> followed.

*Any* policy should have a policy (and a procedure) for documenting any
deviations from the policy.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
Science is an edged tool, with which men play like children, and
cut their own fingers. - Arthur Eddington
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468