When an employee leaves a company that doesn't mean that they should take their access with them, just as when your children leave home they shouldn't take the family TV. Calum Macleod from Cyber-Ark explains.

Our baby is leaving home. Now I know he's only 23 and has only been in fulltime employment for the last several years, but my wife doesn't know how the baby is going to cope. After all he's never had to cook, wash, and take out the garbage.

His mother has even done his tax returns for him and now the debate starts about what he is legitimately allowed to take with him when he goes. First item on the agenda is the TV. After all when you're setting up your own home it's important to make sure you have your priorities straight.

The other topic of discussion is the front door key. After all if he's leaving then he leaves his keys - front and back door. Just because he lived here does not mean he's entitled to just walk in when it suits him.

Obviously a point that was lost on Mr. Harold James Boomer, from Kansas City who has just started a 10 month sentence in federal prison without parole, and who has to pay a fine of $24,000 in restitution to Midwest Technology Connections.

It seems as if Mr. Boomer decided to make a copy of the back door key when he left MTC in June 2006 to set up on his own. During his last day he created an administrator user name that was set up to give him complete administrative access to the network, and to monitor the email accounts of key employees.

He also admitted that he placed hacking software on MTC's systems, and that he had access to all of MTC's customers' data.

And it's not like our man was not aware of what he was doing. After all his new company offered services such as ethical hacking. On his website he stated that 'companies cannot afford to have hackers infiltrating their systems and stealing their valuable information and assets.'

He added: 'We have found that security requirements are rarely addressed adequately in the design of new IT systems or projects. Our testing will highlight any security areas that may have been overlooked as well as allowing a more complete test of compliance with your security policy.'

Our man could truly speak from experience when he states that 'a greater percentage of attacks come from the inside (from 'trusted folks') than from the outside...' He then goes on to say that 'systems administrators should evaluate their users and the assets they have access to'. What he conveniently forgot to mention is that studies show that systems administrators represent the biggest risk.

From a security perspective, shared/administrative identities are the most powerful IDs on any system and these IDs are also required for various system and security functions. This is especially true of most distributed systems such as Windows, UNIX, firewalls and network appliances.

Distributed systems, especially in an enterprise environment, are supported by groups of systems administrators, - including very often folks that are working their notice period. So there is always the risk associated with the sharing of the passwords related to these shared IDs.


The result is that every enterprise finds itself in a very vulnerable situation both from an overall security perspective and also from a regulatory and compliance situation because the most powerful IDs have shared passwords that are infrequently changed. Sharing the password of a privileged account leaves an organisation vulnerable to unplanned/malicious changes, and also makes it difficult to hold individuals accountable for their actions.

For example if the password is shared, any of the administrators can change the password, thus locking out all other administrators for the affected system. Also, if the password is lost, the system typically will need to be taken offline in order to recover. And of course they can create new accounts with administrator privileges or use their privilege to install some nasty software on the system!

In general the accounts will fall into the following categories:

  1. System admin accounts, those supplied and used by the operating system. (e.g. administrator, root) or by the device (router, firewall, etc);
  2. Operator functional accounts, those used to perform system functions;
  3. Application functional accounts, those used for applications to install or run. (e.g. 'db2inst') - also known as built-in accounts;
  4. Application admin accounts, those used to administer applications (e.g. Microsoft SQL's 'sa', DB2's 'dba', MQSeries 'mqm'). These accounts are identities that are hard coded in applications;
  5. Operational support accounts, those created for and used by teams to perform support activities etc.;
  6. Batch/embedded/service accounts. Account information in scripts is retrieved using a script specific password or other authentication mechanism.

Many organisations rely on manual procedures that are completely inadequate. They rely on paper based procedures generally known as emergency envelope procedures; they have policies that are rarely if ever enforced; they take little or no account of physical disaster situations; they forget about the risk posed by IT staff.

In some case, these emergency envelope procedures may have been replaced by a secure password store, or an encrypted file but this does not address the issue of managing the account on the target system. Although it may move the passwords to a digital format it does not eliminate the majority of the manual processes involved in updating and managing the target account.

What is required is a privileged password management solution that solves the problem of password management, protection, automatic changing, and access auditing in multi-user, multi-system environments for shared identities that need to be accessed by several individuals.

We know from surveys conducted in the UK that approximately a third of IT professionals leave an organisation in possession of privileged accounts. Like my baby who thinks that because he's watched TV at home for 23 years, he's entitled to take it with him, some IT professionals seem to think that admin account credentials are some sort of compensation that they are entitled to when they leave.

Maybe it's time to start a campaign 'Help keep former employees in employment!' As in this case everyone is a loser and had MTC implemented a privileged password management solution in the form of a digital vault for storing and managing passwords from Cyber-Ark, Mr. Boomer would still be free and MTC would not have been hacked. In any case my baby will be leaving the backdoor key behind and the TV is staying exactly where it is right now.

www.cyber-ark.com