Battle of the Week - Purging Old Employee Accounts
An association with a multimedia service provider that offers their customers internet services, monitoring services, TV, and phone.
A thorough cleansing of accounts that have access to the network from former employees should be performed. Since the process is not automated with this client, there is the possibility that not all accounts will be deleted that are associated with the user.
An NSOC Analyst looked over the nxlogs for the day and noticed two accounts had higher than normal logon failures. The Analyst then checked the previous days nxlogs to find the same two accounts had been failing to logon each day. The accounts were showing signs of possible light brute forcing attempts that were low and far apart enough to stay below the radar.
The logon failures had not generated alarms for the failed logons and may not have been found if the nxlogs had not been checked. The accounts or machines could have been compromised since the accounts were attempting to logon from the same IP addresses with the same amount of logon attempts daily.
The Analyst notified the customer of the two accounts that had failed logons and informed the customer of the concerns of what the issue may entail. The customer responded back that the accounts are from former employees that are no longer with the company and resolved the issue on their end.
Keep a list of accounts that employees use to access the various machines, servers, databases, etc. within the company. Therefore, when an employee is no longer with the company, the employee’s accounts can be properly deleted.