10% of IT Pros Can Access Previous Jobs' Accounts

dinscott writes "According to a survey that examines how IT professionals and employees view the use of policies and technologies to manage and protect users' electronic identities, the sharing of work log-ins and passwords between co-workers is a regular occurrence. It's no wonder then that half of them are concerned about insider threats to network security in their company's current infrastructure! But one of the most surprising results shows that one in 10 IT professionals admit they have accounts from previous jobs, from which they can still access systems even though they've left the organization."

Re:Only 1 in 10?

[characterZer0]

People often leave on good terms and the accounts are kept so the ex-employees can help out later here and there if asked.

Re:I'd better not be able to...

[Stenchwarrior]

They made you disable the access?! That's either very lazy or...well, I don't know what else. Relying on the person leaving to kill their own access is a bit like leaving the wolf to tend the chickens, no? I'm sure there are audit trails that show that if certain places in the network are accessed it can be traced back to your username, but who's to say that your particular account didn't get hacked? This only creates headaches for the IT manager later down the road. This reminds me of my brother who is very good at not working, but at a cost where he actually works harder to not work, more so than he would if he actually just fucking worked.

Re:Only 1 in 10?

[DrgnDancer]

Lat place I worked (may it rot in Hell) I hired a junior admin (whom I like, and now feel really bad for accidentally screwing that way) whose previous company did that. It was a small organization and they'd only had him and another guy in IT. Every so often they'd pass him a few bills to login and fix something. Worked out well all around, he made a few extra bucks and they didn't have to do a panicked job search to replace him instantly. Definitely a terrible idea from a strict IA perspective, but it was a family owned company and they liked and trusted him (with good reason, he was a likable, trust-able guy).

Re:Audits needed

[Shadow99_1]

I'm with you right up til you start talking about mandatory password changes. Research has pretty well proved by now that making people change their passwords regularly means they write them down. A written down password provides a worthless level of protection from from almost every attempt to get into a system. Statistically a person with a secure password they can remember is far more secure then any number of new passwords they cannot.

Re:wtf?

[Eivind]

social engineering is so very simple, and so very effective, true.

Google a mid-sized company enough to know the name, position and email-adress of an employee, and the name of one of his/her supervisors.

"Hi, it's from [network-provider] - I got a report that you where having some trouble accessing your email, [name-of-supervisor] couldn't get at his at all today - do you have a minute to perform some tests on your account ?"

People will gladly tell you their passwords, if it appears you know what you're doing and you know even a *tiny* bit about their environment, enough to make you seem legit.

It's not hard.

Re:well, i can

[John Hasler]

> but is it my responsibility to suggest they change the password?

You should do so for your own protection. Do it in writing. Don't check to see if the password has been changed, however: you could be accused of "breaking in". Just send them a letter reminding them to make the change.

> especially since a 'professional' it outsourcing company took it over?

Which may look around for a scapegoat after they screw up. You really don't want them to discover that a break-in occured via an account for which you, a "disgruntled former employee", had a password.

Re:I'd better not be able to...

[somersault]

I hate when people don't actually tell me that an employee has left. Last week someone was like "did you know that Elaine is back already?" and I was suprised to hear that she'd even left. Sure, come to me when you need a new account, but if someone leaves nobody says a thing. In fact I'm going to email our new HR dept right now, it should be part of the procedure when people leave..

Make sure to document account removal request

[bl8n8r]

When I leave a place, or a contract is over, I usually work it into an email to request my credentials be removed, or account disabled.  When something goes wrong, the first thing everyone does is point a finger at the last person that left.  If my account has been disabled, it's pretty easy for me to prove my innocence and not waste time trying to convince anyone.  Also puts a little more weight into your argument when you produce an account revocation document which a company was negligent in following through with.  Doesn't sound like much, but makes a *huge* difference when the witch hunt starts.

Re:well, i can

[mysidia]

Sure I do. I didn't do it, so they can't prove I did. And I get to rub it in their faces- "You fired me, a competent employee, and hired some losers who can't even change a password. What idiots!!".

The best thing to do in such circumstances is probably to just let yourself forget what your old password is. Providing you were smart, it is a strong password, and difficult to remember, it will be forgotten eventually.

Just don't try to remember it or use any new password similar to it.

Re:Only 1 in 10?

[Ephemeriis]

People often leave on good terms and the accounts are kept so the ex-employees can help out later here and there if asked.

At my current job, I've replaced a guy who accomplished a hell of a lot in the two years that he was here. There's a good chunk of stuff here that my boss doesn't really feel comfortable with. So he disabled my predecessor's account, instead of straight-up deleting it, in case we had to call him in for help (at which point he would have been paid as an independent contractor).

But that account is disabled. Even though it's still got the same credentials on it, and could be re-activated and used in an emergency, it doesn't currently work. My predecessor could not log in right now if he wanted to.

You'd have to be crazy to intentionally leave an account active and functioning after someone leaves the company.

Quest.

[saintlupus]

If only the company who commissioned this survey happened to sell a bunch of account and identity management tools.... Oh, they do? What luck!

Re:well, i can

[bzipitidoo]

Seriously. Unless you are rehired, never touch your old accounts again, no matter how well intentioned. The law is over the top on punishing evil hackers. Even if the risks seem low, the law makes it so not worth helping out should things turn sour. The least you should have is decent compensation for the risks you're taking, and to help allay suspicions of whether you could have ulterior motives.

My last employer wanted me to continue to help out after the money ran out. So I was to keep right on doing what I had been doing, with no contract, and no pay? No way!

I do NOT have a hard time

[SmallFurryCreature]

I know I still got access because they called me from a previous job if I could help them out and I just tried my login during the call to see what was going on and it was still there. I just thought "oh", fixed the issue and mailed that I still had access and left it at that.

I am a pro but not a sys admin. If I do not work for them, I do not have a need to access their servers and so I don't. Not very hard. Disgruntled? Even then I wouldn't because it would be against the law and could seriously hurt future employment.

The trick therefor for companies is to both have good account management AND hire professionals who care about not becoming a criminal.

Seriously kid, to anyone who read this, you just gave a massive reason NOT to hire you.

Do I as an employer constantly have to worry if it is that time of month for you?

Re:well, i can

[mlts]

This. If you are good at the IT job, your work is invisible. However, one needs to make sure they are not invisible, mainly by proactively checking with other cow-orkers and departments to see how things are running, anything possible they can get, etc. This way, you have a presence.

I have seen companies fire their IT guys who have extreme clues because they thought that they could get someone cheaper to run things, then their whole infrastructure collapses with the guys they hired on to replace the veteran IT people barely able to do firefighting duties. Said companies end up with two choices, either finding another veteran IT person that they likely will end up paying far more, re-hiring the guy they fired (assuming he or she would ever bother to come back), or re-hiring the fired person as a consultant for a lot of cash.

Here is the ironic thing: The PHB who has the MBA goes through courses like ITIL/ITSM concepts where they have to pass concepts like this. So, the concept assuming that the IT infrastructure would work perfectly by jettisoning veterans was taught to them that it won't work.

Re:I do NOT have a hard time

[flimflammer]

Do I as an employer constantly have to worry if it is that time of month for you?

If you as an employer had the forethought (they rarely do) to worry about that, then they would have changed the login credentials already.

I don't feel the need to baby my ex-employers through their incompetence. I'm not going to do anything with the information, but when you let me go, my obligation to the company ends there. It should be standard operating procedure when you let someone in IT go who has privileged login credentials, that you revoke those credentials.