IT companies are becoming key targets of cybercriminals, intent on compromising their supply chains and customers.

One MSP or IT company might serve hundreds of customers so a well-timed and thought-out attack can be extremely profitable.

One of the key control areas within cyber resilience is that of user access; making sure only the people that need access have access.

But what happens once that user no longer needs that access?

And if that user has an Admin account does this increase the risk?

What if???

Let’s call our hypothetical admin user Jessie.

• Jessie has transferred departments into a management role with no requirement for admin permissions
• Jessie still has access to that shared password spreadsheet that your company pretends doesn’t exist
• Jessie has not set up 2FA on that admin account
• Jessie uses their admin account for everything as switching to a user account is tiresome
• Jessie uses the same password for multiple apps, for both private and work accounts
• Jessie’s credentials can be found in a data breach

So, a cybercriminal can get the credentials from the darknet and log in to the system, navigate to the cunningly hidden password spreadsheet and then access everything?

Um...

Would anyone notice?

As Jessie has just transferred internally no one has thought about the permission that they have and maybe if they are still required. This means that the admin account is still active months after it should have been.

Jessie doesn’t mind because it allows them to download software without having to bother anyone about it, even from unapproved stores.

And as Jessie is still working internally, and using their account as usual, when someone else logs in using their credentials, it goes unnoticed.

What about if Jessie had left the company?

HR and IT didn’t talk to each other so again Jessie’s accounts weren’t deactivated, leaving the access open to anyone. The change in activity levels might be picked up by logging if the break in activity was registered as a new baseline, rather than assuming Jessie was on holiday.

There is also the risk that Jessie didn’t leave the company on the best terms and maliciously tries to use his credentials, which they find still work. They go and delete key information, encrypts that master password spreadsheet or installs some malware.

What should have happened?

Finger's crossed that any IT company wouldn't have an admin users who doesn't know or appreciate the fundamentals of cyber security but in our scenario there’s some bad practice that Jessie’s company needs to sort out for everyone.

• Don’t have a shared excel spreadsheet of passwords. There are enterprise password managers which allow sharing of the passwords securely and control of the accounts, meaning you can stop people’s access after they no longer need it. You might consider changing the access passwords when someone with shared access leaves in case they have copied it before going, or their device has stored it.
• Make sure 2FA is implemented. Yes, it can be pain especially with multiple systems you’re popping in and out of, but if this is the case maybe look at hardware tokens such as yubikeys which only require a touch rather than opening of phones. 2FA will stop that criminal using released credentials, unless they also phish the auth codes.
• Regularly review Admin access. Criminals want to have Admin access, and therefore having old admin accounts is a risk. Reviewing admin access on a weekly/monthly basis should be part of your SOP. This shouldn’t be a case of “yep, they’re still working here” but asking “what systems do they have access to?” and “do they need it?”. And this should be for programmes as well as people.
• Have clear expectations about the use of admin accounts and password policies. Jessie used bad practice with the reuse of passwords but also using the admin account for everything they did. Admin accounts should only be for admin activities to minimise the risk of that account being compromised and to be able to spot odd admin behaviour. If you want someone else to review your policies, we offer an affordable policy review. Why not have a look?
• Get notified about breaches with your company domain. Register with the National Cyber Security Centre’s Early Warning system and haveibeenpwned.com domain check to ensure you get notified when your account credentials get released.

Further Guidance and Support

The ECRC is a police-led, not for profit organisation which companies can join for free.

Our core membership provides:

• Threat alerts both regionally and nationally
• Signposting to free tools and resources from both Policing and the NCSC
• Little steps programme – series of weekly emails which aligns to cyber essentials looking at bite-sized practical information to build cyber resilience
• Discussion area to meet and discuss other companies in the region and our partners