Practitioner's Corner: The Case for Offboarding

Offboarding, Onboarding, Hiring, Recruit
Chris Poulin
Written by Chris Poulin
Field Chief Information Security Officer

Bitsight often gets questions about expired certificates on service provider systems. In many cases, the organization asking the question doesn't believe there's a risk, particularly if they haven't used the provider or host for weeks, months, even years.

At some point, the organization decided to use the service provider and went through contract negotiations, hopefully a third-party risk assessment, and an onboarding process. Most enterprises undergo a similar process when hiring and onboarding new employees and contractors: interviews, a background check, an employment contract. Then the employee is issued a company ID and/or door badge, provisioned access to facilities and computer systems, and outfitted with a desk, personal computer, and office supplies.

On the other side of employment, organizations demand the return of IDs and computers, and deprovision employees' access when they leave the company. However, in our experience few organizations institute a thorough offboarding process for service providers, sometimes resulting in leftover certificates that expire after a time, stale records at the Regional Internet Registries (RIRs, e.g., ARIN, RIPE, APNIC, LACNIC, and AFRINIC), and other artifacts as organizations beat a retreat from contracts.

Latent Risks

Finding an expired certificate on a Content Delivery Network (CDN) provider, for example, isn't necessarily a risk in itself. To continue the analogy of employee offboarding, if you know Mathilda left the company a year ago, but you find a record of Mathilda in a company directory, you'd guess there's a good chance there are other artifacts of Mathilda, possibly even active accounts. So when Bitsight finds an expired certificate, it calls into question whether there are still accounts and data on the service provider's assets.

It's worth noting that Bitsight doesn't just determine immediate risk, otherwise known as exposure; we analyze findings to assess an organization's security performance—what can we extrapolate about their security policy, processes and procedures, and governance? Expired certificates are an indication of a poor asset inventory, a gap in policy for managing the configuration of exposed systems, and/or a lack of an offboarding process.

Latent Liability

Even if there are no artifacts, there may still be liability. We frequently work with customers and their vendors to have their name and/or email addresses removed from RIRs, one of the sources Bitsight uses to attribute assets—IP addresses and CIDR ranges, in this case—to organizations during the mapping process. Usually the organization has a contract with an ISP, who assigns a block of IP addresses to the organization and updates the associated RIR with the name and email contacts of the organization to whom the IP address range has been assigned. However, ISPs have no motivation to remove assignment information from the RIR database when the customer terminates the contract; it's extra work for the ISP and it shows up as free IP blocks, which doesn't help justify the need when the ISP requests additional allocations from the upstream RIR.

To further understand the risks of stale internet registry records, see our post on Removing Stale Internet Registry Records the Simple and Quick Way, as well as guidance from ARIN and APNIC (although the latter is geared toward DNS records pointing to IP addresses or ranges that are no longer assigned to an organization).

Another good source of information on latent risks is Measuring and Mitigating the Risk of IP Reuse on Public Clouds.

The Offboarding Process 

A comprehensive offboarding plan not only requests that service providers remove all artifacts, they ensure those artifacts are, in fact, purged. The process should include:

  1. Removing all data, configurations, and accounts from the asset to be retired or relocated
  2. Confirming shortly after the contract is terminated that all of your organization's data, configurations, accounts, and certificates have been removed
  3. Removing any DNS records that reference the asset 
  4. Checking the RIR record has been purged of your organization's name, physical address, and email addresses after giving up an IP address block allocation
  5. Maintaining a living asset inventory containing information about all assets used by your organization, including those leased by service providers

Even if you follow the above guidance, your broader vendor ecosystem includes third-parties that are not service providers as well your vendors' vendors (aka your fourth-parties and beyond). The artifacts of your direct relationships and contracts may not be obvious to you, or even easily pinpointed. 

That's where Bitsight's internet-wide visibility and attribution back to your organization can help identify risks outside of your visibility. In addition, Bitsight's fourth-party vendor discovery can help you identify critical extended relationships and assess and monitor them with the same level of visibility as your third-parties.