Sometimes, businesses overlook a common source of attacks: misguided or disgruntled insiders.
Chances of an insider attack naturally increase after you’ve let an employee go, especially if you didn’t part ways in the best of terms.
When that happens, severing that employee’s remote access is an important step for keeping your systems and data safe.
To that end, the United States Computer Emergency Readiness Team recommends employee termination procedures include the following four steps:
- Disabling remote access accounts (such as VPN and dial-in accounts)
- Disabling firewall access
- Changing passwords of all group accounts (including system administrator, database administrator, and other privileged group accounts)
- Closing all open connections.
Should an attack happen, “a combination of remote access logs, source IP addresses, and phone records usually helps to identify insiders who launch remote attacks. Identification can be straightforward because the user name of the intruder points directly to the insider. Of course, corroboration of this information is required, because intruders might have been trying to frame other users, cast attention away from their own misdeeds by using other users’ accounts, or otherwise manipulate the monitoring process,” warns the US-CERT in its “Common Sense Guide to Prevention and Detection of Insider Threats.”
For more scenarios, guidance and case studies, access the full report here.