Most organizations implement controls around privileged account access for IT staff and administrators which includes revoking access upon employee termination. But what about vendors or managed service providers?
An interesting case came my way today from a team actually in the MSS (Managed Security Service) space. They received a call from a former customer who was decommissioned over two years ago seeking urgent support. As it turned out, the customer, a MAJOR US bank, (think “too big to fail”), needed the administrative login and password to a firewall they had long since forgotten. After challenging the caller based upon prior challenge/response detail on file, the credentials were provided to an authorized individual on behalf of the customer. No further updates conveyed as to whether this worked, although it does call into question controls around vendors.
Two years? Not only was a security device “lost” but the credentials may not have been changed when there was a change of vendor? This raises concerns on many levels and is particularly alarming coming out of the banking industry. While I absolutely know the name of the bank, for ethical reasons I will not disclose the name here although I may make a courtesy call to the CISO.
The takeaway here is to always monitor and review vendor accounts. Vendor access absolutely must be disabled upon contract termination.