Page 6 - Cyber Warnings
P. 6
As much as reasonably possible, these rules should be narrowed per group in this instance.
When this general rule is not applied, the administrator is allowing for the staff member to
complete unauthorized tasks, escalation or privileges and a greater level of risk, by their own
actions. There is not a need to make this more difficult than it already is.
People occasionally leave their position, either voluntarily or are provided the opportunity to
seek other employment immediately. There are a number of high profile actions that tend to be
effected directly thereafter, especially when the person is leaving of the business’ choice. This
may include securing the ID card, access card, the corporate credit card, corporate issued
phone, and corporate email.
These may contain sensitive and confidential information that needs to be maintained as such.
In a much more mundane scenario, the person may also just change their position. In this
alternative use case, the employee may not need the same access. Adjusting these assists to
the appropriate level assists with limiting data loss.
Often, regardless of the person’s underlying rationale for the position change, the person’s AD
may not be thought of as a point to check and modify. There may not be a checklist or other
template to remind the management and support staff to review all affected areas.
Leaving the prior employee’s set of access per AD also has other issues. The prior employee
may have rights to services they should not have. The future staff members may review the AD
file entry and believe through no fault of their own, this person is still an active employee. The
business may also be examined or audited.
This provides an issue when the current employee list from Human Resources is compared to
the AD list, which shows the person’s last login was two years in the past, when they were
actually an employee. The auditor may view this being indicative of a systemic issue, requiring
further reviews.
The IT world is amply busy and complex on its own rights without adding more issues requiring
time and resources to remediate. Not adjusting AD as employee changes are effected is not a
great choice to make. This is a quick area to be mitigated and also can save a significant
amount of time when implemented as needed.
About The Author
Charles Parker, II began coding in the 1980’s. Presently CP is an Information Security Architect
at a Tier One supplier to the automobile industry. CP is presently completing the PhD
(Information Assurance and Security) in the dissertation stage at Capella University. CP also is
an adjunct faculty at Thomas Edison State University. CP’s interests include cryptography,
SCADA, and NFC.
He has presented at regional InfoSec conferences. Charles Parker, II may be reached at
[email protected] and InfoSecPirate (Twitter).
6 Cyber Warnings E-Magazine – May 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
