Get Started

Four steps to securing your IoT Identity from ex-employees

  • 3 min read

Share this post

ex-employee-hack

When you see one of those cybersecurity stories about how an ex-employee “hacked” a company with terrible consequences, do you think that could never be us? Or do you think, I’m glad we don’t have anyone like that around!

Many companies are exposed to the former insider risk, they fortunately haven’t been tested by a bad employee. Last year, a Pennsylvania man was sentenced to more than a year in prison for “hacking” remote water meters at his company. Local municipality customers couldn’t send out their bills because the water meters weren’t reading anything. This “sophisticated hacker” still had credentials to the water meters of his former employers. He logged in and performed a variety of configuration changes to mess up the meters. Even though he was fired the company didn’t think to change the passwords to any of the base stations. The ex-employee telneted in from his home computer with existing credentials.

You may think that your employee off-boarding process is much better than that. But the reality is that employees may have 25 credentials or more issued by your organization. It is difficult to get rid of them all. I was recently reviewing the access controls on the servers of a client of mine who had good security controls. They still had a former employee enabled on one of their servers. Even though they removed his credentials in the many other places. This is a client with strong security practices and even an off-boarding checklist. Imagine what the situation is for organizations with less formal processes!

Additionally, managing IoT credentials is very difficult. Because there are so many devices and often not under central control, when an admin leaves, it can be difficult to change credentials in all of the locations. Also, in an IoT system each device has different sets of credentials for integration with different local and cloud based systems. If your ex-administrator knows these credentials then all of these have to change.

Four steps

We have identified four actionable steps that will help your organization improve its cybersecurity posture as it relates to identity.

  1. Disable ex-employee accounts This one is so obvious but somehow, companies miss it. As soon as an employee leaves, all of his or her accounts should be turned off. Especially those accounts that can be accessed remotely. Organizations often construct a departure checklist with all of the accounts that an employee has. If you don’t have one, you should.
  2. Change system passwords upon administrative employee departure When your administrative employees leave, do you change the shared passwords on all infrastructure and devices? Good chance that your organization doesn’t. If those devices are Internet facing or the ex-employee can VPN in then you could be next for a humiliating headline!
  3. Audit authorized VPN users Many other mistakes can be caught by having strong controls over your authorized VPN users. These are the users that can access your network and systems remotely. If you do a good job making sure that only authorized users can VPN in then you can reduce your risk of ex-employee attack. Make sure that your tech support team checks for active employment before enabling or re-enabling access to your VPN. Yes, this attack really has been successful.
  4. Use Privileged Access Management (PAM) PAM is a tool for managing the accounts in your organization that have administrative access to important systems. These tools can allow secure access to all authorized employees without forcing them to remember many passwords. They can allow for multiple people to access the same account but who accessed the system is audited. When employees leave, they can be turned off on the PAM system without causing a disruption to operations for each individual system.

Where to learn more?

If it seemed that we just scratched the surface for how to secure IoT identity then you are right! We are about to release a white paper in conjunction with Beyond Trust about managing identity for your IoT system. Stay tuned for its imminent release.

But you don’t need to wait for the white paper to learn more. Next Thursday, September 13, Fractional CISO and Beyond Trust will be hosting a webinar on The 5 Crazy Mistakes Administrators Make with IoT System Credentials. Yes, we will cover the threat from ex-employees. But you will have to tune in to find the other four crazy mistakes.

For help with your cybersecurity strategy and execution contact us at Fractional CISO. We’ll be happy to help you get on a path to better cybersecurity decision making.

Picture of Ed Dante

Tales From The Click

Sign up for our monthly newsletter for business leaders on minimizing cybersecurity risk.

Suceed at SOC 2

Free eBook:
5 Things to Know for your First SOC 2

  • How to scope your SOC 2
  • Estimate the cost and length of your SOC 2
  • Prepare for your SOC 2
  • Manage the SOC 2 audit period
  • Leverage your SOC 2 for growth

Related Posts

Just Show Up

Rob Black

The NIST Cybersecurity Framework is Secretly a Communication Framework!

Elazje Carillo

What to Know About Encryption Now, at the Dawn of the Quantum Era

RJ Russell
Is your Cyber Insurance really going to cover you?

Only 1/3 of cyber insurance policies actually pay out in incidents. Most companies have cyber insurance policies that insure too little, or too much, and have absurdly low caps and silly exclusions.

To learn more about cyber insurance and determine if you have the right coverage for you, join us for a free vCISO Office Hours session on Tuesday, April 18 at 1 p.m. eastern time. Bring your questions!

New Release: Free SOC 2 eBook!

Getting ready for your first SOC 2? This eBook is full of actionable advice to help you prepare for and succeed in your first SOC 2 audit.

Learn:

  • How to scope your SOC 2 project
  • How to estimate the cost and length of your SOC 2 project
  • How to prepare for your SOC 2
  • How to succeed in your SOC 2 audit period
  • How to leverage your SOC 2 report to enable your business and sales
Is your Cyber Insurance really going to cover you?

Only 1/3 of cyber insurance policies actually pay out in incidents. Most companies have cyber insurance policies that insure too little, or too much, and have absurdly low caps and silly exclusions.

To learn more about cyber insurance and determine if you have the right coverage for you, join us for a free vCISO Office Hours session on Tuesday, April 18 at 1 p.m. eastern time. Bring your questions!

New Release: Free SOC 2 eBook!

Getting ready for your first SOC 2? This eBook is full of actionable advice to help you prepare for and succeed in your first SOC 2 audit.

Learn:

  • How to scope your SOC 2 project
  • How to estimate the cost and length of your SOC 2 project
  • How to prepare for your SOC 2
  • How to succeed in your SOC 2 audit period
  • How to leverage your SOC 2 report to enable your business and sales