[BreachExchange] The security risks of ghost users: 1 in 4 accounts are inactive

[Audrey McNeil]

https://www.scmagazineuk.com/the-security-risks-of-ghost-
users-1-in-4-accounts-are-inactive/article/704700/

Some 26 percent of all accounts surveyed were of 'stale enabled users';
accounts - and 90 percent in one case.The risk is two-fold: ex-employee
with unauthorised access, and the account can be hijacked by an external
hacker.

When aiming to establish a foothold in an organisation, hackers will
typically look for the easiest and least obtrusive route in. One such path,
which fulfills both of these requirements, is that of user and service
accounts which are enabled but no longer active. Whether this is down to
the user leaving the organisation or moving to a different role, these
accounts are an open door for hackers to gain access to the company's
network and systems. As these accounts are largely unmonitored, hackers can
bypass detection to steal data or cause disruption.



There are straightforward ways to minimise the risk of these ‘ghost user'
accounts. This requires centralised systems for finding and removing stale
user accounts to close off any potential vulnerabilities which can easily
be exploited. By taking control and deactivating these accounts,
organisations can close off this security gap, before the “ghosts of users'
past” can come back to haunt them.



Changing Places

The scale of this risk in the NHS sector was recently highlighted in a
report by NHS Digital, which found 17 percent of active staff accounts had
been unused in the previous 12 months. This presents a worrying trend,
however our own analysis across 80 organisations, paints an even more
concerning picture. We found that on average, around a quarter, 26 percent,
of all accounts were those of ‘stale enabled users'; accounts from which no
one has accessed data or logged onto the network for more than three
months. For one organisation, as many as 90 percent of all user accounts
were stale.



This could be down to a number of factors; foremost, it's an indication
that leavers' processes are not fully implemented so that accounts aren't
decommissioned when an employee leaves an organisation, takes a sabbatical
or goes on maternity leave. The risk is two-fold: an ex-employee has
unauthorised access to the organisation's data, and the account – with all
of its associated access permissions – can be hijacked by an external
hacker.



It's not only user accounts that represent a risk. Even those organisations
that have a joined-up system in place to deactivate accounts when an
employee leaves, may be exposed to risks associated with stale service
accounts. These are accounts that are set up to run applications or servers
and can be re-used across multiple platforms. They're particularly
vulnerable; if a hacker gains access to a service account they can go
largely unnoticed to conduct reconnaissance. As they're not ‘owned' by one
individual, any nefarious activity can be harder to detect so if, for
example, a hacker uses an account to log on to a file system and is locked
out from the account from failed login attempts, it's unlikely to generate
any security alerts.  If the security measures around the data they're
targeting are not adequate, they'll have access to sensitive information,
without any alarms being raised.



Taking Control of Data

It's perhaps too simplistic to lay the responsibility of these stale
accounts solely at the door of IT teams. The result of a high proportion of
active and un-used accounts is often a symptom of a disconnect in processes
between IT and other departments in the organisation. Whilst IT can
implement the changes, they're reliant on information from other
departments, such as HR, to sustain an effective governance model around
user and service accounts.



There are further process challenges to overcome. It's straightforward to
run an Active Directory script to check which users haven't logged on for a
certain period of time. The real issue is what happens next with that
information. Already overstretched IT departments may simply not have the
resources to prioritise any activity to deactivate accounts, which, for
larger organisations, could run into thousands.



To minimise the risks associated with stale accounts, there are
straightforward steps that all organisations can take. Organisations should
implement procedures to ensure that accounts are active, governed and
monitored and this starts with understanding what is normal and typical
behaviour for both user and service accounts. In this way, they're better
placed to spot anomalies such as why a service account is accessing data.



As the target for most hackers is the data itself, organisations should
also enforce a ‘least privilege' model so that data access is governed by
the model in which only those that ‘need to know' have access to sensitive
information. It's also important to ensure that all data owners and
business leaders periodically re-certify access to data to highlight if a
person has left the organisation so that the account can then be
de-commissioned.



The issue of stale user and service accounts is about more than just good
IT housekeeping. If left unchecked and unmanaged, these dormant accounts
represent a rich target for exploitation and a significant risk to an
organisation's security. Establishing processes for monitoring the
behaviour of accounts and access rights to data are the first, critical
steps in preventing hackers from taking the easy route in to their network
and systems.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171121/a3b600d2/attachment.html>