Would you ever leave for a week-long vacation and not lock your front door? Or lock it but leave keys scattered around the yard? Believe it or not, this is the equivalent of what organizations are doing when it comes to securing inactive “stale” user accounts.
Hackers, much like robbers, often look for the easiest and quietest way in. One such path is through user and service accounts that are no longer in use. This basic security step is often overlooked. Whether it’s a result of an employee leaving or changing positions, if organizations don’t take the necessary steps to close these entry points, they will end up with a vector for attack.
In fact, a recent Varonis analysis found that 26% of all accounts belonged to “stale enabled users.” These accounts hadn’t accessed data or logged on to the network for more than 90 days. For one organization, approximately 90% of all user accounts were stale.
The Ghost in the (Corporate) Machine
While technology plays a key role in successfully monitoring accounts, the threats posed by stale users can often be mitigated just by improving communication between your IT team and other departments. IT can implement permission changes and account closure, but only if they receive information from other departments, such as human resources, who can flag when an employee leaves.
Most organizations focus on protecting current users, but ghost users are a huge and often overlooked threat. If the IT team isn’t notified, “ghost” users can lie dormant, yet still retain access to systems and data. From a hacker’s perspective, it’s relatively easy to find inactive accounts to target -- a quick search on LinkedIn or Twitter, for example, could reveal who’s recently left a company. Inactive accounts are a great way for hackers to quietly probe without alerting anyone.
Now imagine what could happen if hackers found their way into the account of a senior level staff member – someone who has left the company or changed roles – with access to a wide range of sensitive information across the organization. The hacker could use this account to gain access to valuable intellectual property, personally identifiable information and financial documentation, just to name a few.
That Doesn’t Seem Like Dave
Monitoring a user’s behavior is another important aspect of identifying whether an account is being used maliciously. As a member of the IT team, if you know that “Dave” doesn’t typically download any files after 6 pm, and you suddenly see waves of data extracted in the middle of the night -- this should be a red flag to look deeper into the account and reach out to other teams to investigate. While there are important preventive measures that can be taken, without a dedicated data owner or business leader regularly re-certifying user accounts to ensure only active users have access, understanding account behavior could be the only thing preventing an organization from a breach.
Get Ready to Bust Some Ghosts
When looking into this growing threat, we also have to understand that not all companies can afford to ask their already overworked IT department to expend more resources on activity across deactivate accounts. While it might be straightforward to run an Active Directory script to check which users haven’t logged on for a certain period of time, the real issue on teams lacking bandwidth is what happens next with that information.
Here’s a tip for minimizing the risk of inactive accounts. First, implement procedures to ensure that all user accounts are active, governed and monitored. Start by understanding what is normal behavior for both user and service accounts so you are better able to spot anomalies. Next, take proactive measures to boost your organization’s anomaly detection capabilities.
Know that most hackers are targeting your your data. Enforce a “least privilege” model so that only those that “need to know” have access to sensitive information. It’s also important to ensure that all data owners and business leaders periodically re-certify access to data to highlight if a person has left the organization.
The issue of stale user and service accounts is about more than just good IT housekeeping. If the door to your company’s most sensitive data is left open, you’re an easier target for exploitation -- placing your company at significant risk. Developing a process for monitoring the behavior of accounts and restricting access to data are the first steps to locking up the easy entry points onto your network.