The security risks of ghost users: 1 in 4 accounts are inactive
The security risks of ghost users: 1 in 4 accounts are inactive

When aiming to establish a foothold in an organisation, hackers will typically look for the easiest and least obtrusive route in. One such path, which fulfills both of these requirements, is that of user and service accounts which are enabled but no longer active. Whether this is down to the user leaving the organisation or moving to a different role, these accounts are an open door for hackers to gain access to the company's network and systems. As these accounts are largely unmonitored, hackers can bypass detection to steal data or cause disruption.


There are straightforward ways to minimise the risk of these ‘ghost user' accounts. This requires centralised systems for finding and removing stale user accounts to close off any potential vulnerabilities which can easily be exploited. By taking control and deactivating these accounts, organisations can close off this security gap, before the “ghosts of users' past” can come back to haunt them.   


Changing Places

The scale of this risk in the NHS sector was recently highlighted in a report by NHS Digital, which found 17 percent of active staff accounts had been unused in the previous 12 months. This presents a worrying trend, however our own analysis across 80 organisations, paints an even more concerning picture. We found that on average, around a quarter, 26 percent, of all accounts were those of ‘stale enabled users'; accounts from which no one has accessed data or logged onto the network for more than three months. For one organisation, as many as 90 percent of all user accounts were stale.


This could be down to a number of factors; foremost, it's an indication that leavers' processes are not fully implemented so that accounts aren't decommissioned when an employee leaves an organisation, takes a sabbatical or goes on maternity leave. The risk is two-fold: an ex-employee has unauthorised access to the organisation's data, and the account – with all of its associated access permissions – can be hijacked by an external hacker.    


It's not only user accounts that represent a risk. Even those organisations that have a joined-up system in place to deactivate accounts when an employee leaves, may be exposed to risks associated with stale service accounts. These are accounts that are set up to run applications or servers and can be re-used across multiple platforms. They're particularly vulnerable; if a hacker gains access to a service account they can go largely unnoticed to conduct reconnaissance. As they're not ‘owned' by one individual, any nefarious activity can be harder to detect so if, for example, a hacker uses an account to log on to a file system and is locked out from the account from failed login attempts, it's unlikely to generate any security alerts.  If the security measures around the data they're targeting are not adequate, they'll have access to sensitive information, without any alarms being raised.   


Taking Control of Data   

It's perhaps too simplistic to lay the responsibility of these stale accounts solely at the door of IT teams. The result of a high proportion of active and un-used accounts is often a symptom of a disconnect in processes between IT and other departments in the organisation. Whilst IT can implement the changes, they're reliant on information from other departments, such as HR, to sustain an effective governance model around user and service accounts.


There are further process challenges to overcome. It's straightforward to run an Active Directory script to check which users haven't logged on for a certain period of time. The real issue is what happens next with that information. Already overstretched IT departments may simply not have the resources to prioritise any activity to deactivate accounts, which, for larger organisations, could run into thousands.


To minimise the risks associated with stale accounts, there are straightforward steps that all organisations can take. Organisations should implement procedures to ensure that accounts are active, governed and monitored and this starts with understanding what is normal and typical behaviour for both user and service accounts. In this way, they're better placed to spot anomalies such as why a service account is accessing data.


As the target for most hackers is the data itself, organisations should also enforce a ‘least privilege' model so that data access is governed by the model in which only those that ‘need to know' have access to sensitive information. It's also important to ensure that all data owners and business leaders periodically re-certify access to data to highlight if a person has left the organisation so that the account can then be de-commissioned.


The issue of stale user and service accounts is about more than just good IT housekeeping. If left unchecked and unmanaged, these dormant accounts represent a rich target for exploitation and a significant risk to an organisation's security. Establishing processes for monitoring the behaviour of accounts and access rights to data are the first, critical steps in preventing hackers from taking the easy route in to their network and systems.  

Contributed by Matt Lock, director of sales engineers, Varonis  

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.