Jay Butler, Senior Technical Consultant
© 2006 by Safe Systems, Inc.
Parting with an employee is rarely an easy process for any business, especially for banks where privacy and security play a part in most everything. One important security aspect of employment separation involves the computer network. The bank must perform its due diligence to prevent access to it by former employees. Otherwise, the network could be used for a variety of malicious purposes such as impersonation, information theft, or intentional damage. Such actions result in negative consequences that may include extended system outages, damage to the bank’s reputation, breach of privacy, and litigation. Securing your system from former employees involves two broad areas:
- Prevent remote access to the network – ensure former employees cannot access the computer system from off premises
- Prevent local access to the network – ensure former employees cannot access the computer system while on premises at a bank location.
If the separation is expected, your Security Officer should plan ahead to ensure the person leaving will not have access to the computer network from the moment separation occurs. We have provided a detailed checklist as an attachment to facilitate the process.
Many of the details that follow could be orchestrated ahead of time to ease the separation process and ensure optimum network security. Alternatively, perform the tasks during and immediately following the separation.
Secure the Network Perimeter
When an employment separation occurs, it is important to know that the person leaving has no ability to access the bank’s computer network remotely (while not physically on bank premises). Blocking this access is often overlooked in favor of changing local network passwords and disabling accounts. Let us be sure to disable any remote access first, even a day or more in advance if the separation is expected.
These days, opening the perimeter for legitimate purposes is commonplace. Network support vendors often use remote access to provide technical support. Security vendors may use it for remote monitoring. Banks may allow employees access to the system remotely for business purposes. Your Security Officer should be fully aware of methods allowed on your system, what they are used for, who uses them, and how they are controlled. Additionally, these methods should be documented for administrative and auditing purposes.
In some cases remote access can be used without an account or user password, so changing network passwords or disabling accounts will not block its use. The Internet firewall controls any remote-access communications originating from the Internet. These connections are the most vulnerable because the Internet is publicly accessible to anyone. Be sure your firewall does NOT have any remote access openings that can be used by former employees. Contact your firewall management provider to confirm yours is properly secured.
In general this check entails examining the firewall configuration for any Virtual Private Network (VPN) configurations. Typically, the configured VPNs will be secured between two firewalls restricting access to only the users of a remote network. Former employees cannot use this type of remote access because they do not have physical access to the network at the remote facility. In addition these connections are typically disabled when not in use and are only enabled during periods when needed.
Any other VPN configurations not secured to another firewall in this manner should be carefully evaluated. For example, Sonicwall Client VPN configurations consist of software loaded on a personal computer that allows that computer remote access. If a former employee knows the configuration settings, he could setup a remote access tunnel to the bank without anyone knowing it. In fact, the former employee may have already had it setup on his home computer for use while employed by the bank. He may have been an administrator with access to the settings or perhaps the bank authorized his access for other purposes. If the SonicWall allows Client VPN access, it should be disabled or the credentials should be changed every time an employment separation occurs.
On Sonicwall firewalls, VPN connections are configured and controlled through the VPN configuration page, and other remote access methods may be configured in Access Rules. Your Security Officer should document all rules that allow any access into the network from the Internet; moreover, he should be fully aware of any rules that are used for remote access purposes.
A common rule configured for remote access allows communication over PPTP (in the rules, this is known as a service or port). If PPTP is allowed, it must include a specific source IP address to prevent VPN access attempts by anyone on the Internet. To successfully connect, a valid username and password is required, but do not rely on this. Allowing PPTP without specifying a source IP address is NOT recommended. You should consult with your firewall support vendor to check for this and any other inbound rules that could be used for remote access.
Two less important remote access methods are remote dialup connections over a modem and connections over WAN routers. WAN routers are used at each bank location to provide communications to other bank locations and/or to remote service providers like Jack Henry, Fiserv, or Fidelity. In some cases a service provider may use remote access over these connections to provide support. Unless a former employee has access to the service provider facility, he won’t be able to use the connection for anything. Therefore in almost all cases, the WAN routers are not vulnerable to former employees.
While rarely used these days, modems present an opening for anyone who may know the dial-in phone number for them. The modem must be powered on and connected to an outside phone line that allows dial-in access. If a former employee (or anyone else) knows the phone number, he could use it to establish remote access connections to the bank. If modems are used, they must either be configured to deny dial-in access or to require usernames and strong passwords. In the latter case, the passwords should be routinely changed to reduce the risk of unauthorized access over modems. These days, best practice suggests avoiding modems altogether and phone outlets should be configured to block any dial-in access.
Secure the Network
When an immediate separation occurs, the person should not be allowed any further physical access to the network. If any access is allowed, it must be closely overseen by a designated employee like the Security Officer or Systems Administrator. In situations in which an employee is working at notice, his administrative privileges should be revoked, and all system activity should be closely monitored.
As you know, to access the computer system at the bank, an employee must have a valid username and password. Before an employment separation occurs, your Security Officer should determine all user accounts the employee could be using. Prior to or at the moment of separation, these accounts should be disabled. Typically, it is best to disable the accounts to prevent their use rather than immediately deleting them. Delete the accounts after confirming the conclusion of all aspects related to the separation. For example, the bank may want to investigate the former employee’s e-mail usage. The simplest way to do this is to change the password on the associated user account and re-enable it. This way, it will receive e-mail as usual, and it can be easily accessed using the original user account with the new password. The former employee will be unable to access the e-mail because he will not know the new password.
While the previous scenario is true for banks using a Microsoft Exchange e-mail server, it may not pertain to banks using other email servers. Preventing e-mail access in these cases may have nothing to do with the Windows network user account. For ALTN Mdaemon systems, the user’s e-mail account must be accessed on the Mdaemon server. Again, in order to maintain e-mail processing, the account should not be deleted. Instead, the e-mail account’s password should be changed to block access by the former employee. With Mdaemon, if he knew his e-mail password, he could possibly access his e-mail (even from outside bank premises without direct remote access). Changing the password will prevent this while maintaining e-mail flow. If e-mail processing is no longer needed, the account may be safely deleted from Mdaemon. For banks that use an external e-mail provider like EarthLink for Internet e-mail, the provider should be contacted to change the password or to discontinue the account altogether.
After disabling the former employee’s network user account(s) and disabling his e-mail access, what remains? Change the password on all user accounts by setting each to force a password change at the next logon. This will eliminate the possibility of the former employee using one of these accounts to gain access. Though easily done by accessing each account in Active Directory Users and Computers to select the appropriate check box, it is not practical in most networks where perhaps hundreds of users exist. Your network support provider can assist you by using the Microsoft tools DSMOD and DSQUERY to set this option for all users with a single command line.
Administrator-level accounts deserve special attention because they are the “master keys” of the network. Your Security Officer should have a list of these accounts along with what each is used for and who uses them. To verify, check the membership of the Domain Admins and Administrators groups in Active Directory. In the realm of Windows Domains (Windows networks), administrator-level accounts will be contained in one or both of these groups.
The aforementioned setting to require all users to change at next logon pertains to Admin-level accounts like any other, it is possible that these accounts will not be accessed for long periods of time. Therefore, the user of each administrator-level account must change the password manually. Although highly discouraged, some of the administrator accounts may be used by more than one person. In these cases the Systems Administrator or Security Officer should change the password and disseminate it where needed along with assuring the “change password at next logon” setting is not selected.
Changing the password for all administrator-level accounts almost always creates a few minor problems. Most notably, the Services function on every server may be affected. Services run on every Windows computer on your network; moreover, each uses a user account of some kind that often requires a password. Fortunately, we do not need to worry about every workstation, but we must check the Services on every server. To maintain functions like data backups.
Most Services will use a built-in account called Local System or Network Service. We are not concerned with these, but any service that uses a network username like one of the identified administrator accounts will require modification. Each of these services on each server must be accessed to change the associated password. Veritas BackupExec should also be checked to modify the password for any accounts it specifies for backup jobs.
Also consider any other passwords the former employee may know. Systems Administrators often know the firewall password, so it should be changed when an administrator leaves. Check the firewall for any additional accounts and change the passwords. Knowing ahead of time all accounts each employee uses is a must to help ensure all non-network accounts can be addressed.
While a functional concern more than a security concern, another thing to consider is notifications. For example, BackupExec sends status notifications for backup jobs, SonicWall sends its log and alerts, and Antivirus software sends virus alerts. All notifications should be directed to a current employee to provide continued operation.
Many authorities on the topic contend that most network attacks are performed internally by an employee, so ensuring former employees are truly “former” is vital. Ensuring they do not have access will decrease the number of people the system is vulnerable to. While most separations are amicable, the same guidelines should be followed regardless of the circumstances. The main two points of entry are remote access controlled at the Internet firewall and local access controlled by user accounts. No two computer systems are exactly the same, so you should consult with an experienced network security professional to determine your exact exposure. If you run a Windows network with a broadband Internet connection, use the following checklist to cover the common items. In most cases, this is all you will need.
Download the Employee Separation Checklist here.