By Jeff Bohren, Chief Software Engineer at Optimal IdM
Employee turnover creates vulnerabilities that are hard to control
Employers have faith that most of their workers are trustworthy.
So when an employee falls for a phishing scam, bosses assume it was an innocent mistake that could happen to anyone.
But some of those employees aren’t as innocent as they appear.
In a recent study, 27 percent of people employed by large corporations said they would sell their corporate passwords for as little as $150.
Satisfied employees identify with their companies; they’re not the ones to worry about.
It’s the disgruntled and frustrated ones are dangerous.
That means companies with high turnover rates have the most to fear from insider sabotage.
High turnover, high vulnerability
Security professionals like to say security is a people problem, and casinos are a good example of why that’s true.
With staffs as large as 77,000, turnover rates as high as 30 percent and large multi-property gaming businesses reporting as many as 500 turnovers a week, casinos have a lot of access to control.
It’s not just the tellers and back office staff who have access to digital assets; all sorts of workers use networked systems.
For instance, a cocktail server will not have access to wagering accounts, but will have access to notoriously insecure point-of-sale terminals.
If a hacker can get the password for the point-of-sale system, he can take his time searching for paths to the pot of gold hidden away in a more critical system.
Think about that cocktail server.
She can make as much as $150,000 a year at a top destination like the Bellagio or the MGM, but only a fraction of that at smaller casinos and far less at clubs that aren’t part of a gaming property.
If she gets fired from one or two of the top properties, she’s not going to see $150,000 again.
She may have an axe to grind.
What’s stopping her from selling her password out of spite?
Just one thing: a sound password control system.
The express lane to theft
Software is everywhere, and that’s great for hackers.
Hackers are organized, funded, and willing to invest months in learning to breach a target’s system.
They conduct initial forays into their targets’ networks for the sole purpose of learning which appliances and software are in use, and then they buy those same tools, replicate the environments, and identify vulnerabilities from a safe position before going in for the kill.
Passwords can be guessed, deduced from social media, elicited through social engineering, or purchased on the Dark Web.
While most terminated employees aren’t evil geniuses, it doesn’t take an evil genius to figure out where the markets are for corporate passwords.
Access control is an urgent matter
Enterprises can only respond to this threat in one way – better password control.
For companies with large turnover rates, password control needs to happen easily and in real-time.
The moment someone is terminated, their access to the corporate network, including point-of-sale terminals, mobile devices, IoT devices, remote access connections, and anything else connected to the network, must be cut off.
Organizations need to have processes in place that tie HR activities to the IT department with a sense of urgency.
Otherwise, a terminated employee could offer their password for sale before they’ve even crossed the parking lot on their way out.
A password to the systems of a high value target like a bank, retailer, healthcare provider, or casino would sell within moments on the Dark Web.
No manager wants to distrust their employees, and most employees are indeed trustworthy.
But it only takes one bitter person to realize that revenge and some pocket money are just a few clicks away.
For that person, the sale of their password is a little act of payback. For their former employer, that action could be catastrophic.
Learn more about how an Identity and Access Management solution can benefit your organization by downloading the Optimal IdM whitepaper, “Beyond The Password: Identity & Access.”
About the Author:
Jeff Bohren is currently the Chief Software Engineer at Optimal IdM.
Mr. Bohren has over 30 years of software development and architecture experience and over 20 years of knowledge in identity management and federation.
He has been serving on several OASIS technical committees including SAML, SPML, and DSMLv2.
He also served as the BMC Software representative to OASIS, Project Liberty, and OpenAuthentication.org.
An avid speaker and industry thought leader, this year Mr. Bohren was interviewed and quoted by many news outlets including eSecurity Planet, InfoSec Insider, The Last Watchdog On Internet Security and ITSP Radio.
Mr. Bohren has spoken at The Experts Conference, InfoSec World, BMC World, and The Cloud Identity Summit 2017.