Inactive Accounts: A Hacker's Easy Way In

If you’re a frequent reader of our blog, then you know our most repeated mantra: It’s not if a cyber attack will happen; it’s simply a matter of when.  All of those large data breaches we continue to see in the headlines share one common denominator: compromised privileged accounts. And one of the easiest types of accounts to compromise is an inactive, stale one.  Leaving these accounts unsecured is tantamount to locking your front door, but leaving copies of the key under the mat, above the door and in the fake rock.  It’s time to collect those keys and change the locks. 

Hackers often look for the easiest way in and one such entryway is through user and service accounts that are no longer in use. Disabling these accounts is a basic security step that is too often overlooked. In fact, a recent Varonis analysis found that 26% of all accounts belonged to “stale enabled users.” These accounts hadn’t accessed data or logged on to the network for more than 90 days. For one organization, approximately 90% of all user accounts were stale. That’s a lot of unlocked doors.

It doesn’t take much effort for a hacker to find inactive accounts to target.  A quick search on LinkedIn or Twitter can lead to Information about which employees have recently left a company.  What if one of those employees was a senior level staff member with access to a wide range of sensitive information? Valuable assets like intellectual property, personally identifiable information (PII) and financial records could be illegally accessed in minutes. 

Effective communication between your IT staff and all other departments is the first step to mitigating risks posed by stale accounts. Clear policies and procedures should be in place that outline how and when to notify IT of qualifying events (such as an employee leaving the organization or an account being decommissioned) so that appropriate permission adjustments and account closures can be implemented quickly. And regularly re-certifying user accounts to ensure only active users have access is critical.

Monitoring user behavior is also a crucial step in identifying whether an account is being utilized for malicious activity.  Your IT staff needs to have a deep understanding of what normal behavior is for both user and service accounts in your organization, so you are better able to spot anomalies. If your IT department knows that the HR manager historically logs out at 5pm and suddenly there is a wave of data being copied at 1am through his/her account, this should be a giant red flag to investigate immediately.  

Restricting user access and implementing proactive “least privilege” policies can help keep risk at a minimum. Limiting access rights for users to the bare minimum permissions they need to perform their work reduces unnecessary exposure. Least privileged users – those who do not need to manage or administer systems or network resources – are the type of accounts that most users should be operating the majority of the time.

Developing detailed procedures that ensure that all user accounts are active, governed and monitored is extremely important to mitigating threat risks, preventing data breaches, and meeting compliance requirements. However, this is easier said than done when you consider that the average organization has three to four times more privileged accounts than employees. With today’s threat landscape rapidly growing in sophistication, many organizations have overworked IT departments that lack the resources to expend on understanding user patterns and deactivating accounts.  This is where a Managed Services Security Provider (MSSP) can be a crucial component of efficient and effective network security.  

As an MSSP, SLPowers' 24x7 Security Operations Center provides round-the-clock monitoring and correlates network activity from different parts of your environment to identify and respond to malicious activity in minutes.  We can detect and protect against suspicious network activity in real time. A team of cyber security experts in our Security Operations Center analyzes those alerts, to separate false positives from those that represent genuine malicious activity. This ensures that unusual and suspicious behaviors are positively identified and addressed immediately. 

Don’t roll out the welcome mat for today’s hackers.  Contact us and we’ll make sure all of the doors to your environment are dead bolted.