Sponsored By

One-Third of Internal User Accounts Are 'Ghost Users'

Attackers and malware can easily move laterally through an organization, thanks to inadequate access controls on file systems and a proliferation of inactive but enabled users.

Sara Peters

April 4, 2018

2 Min Read

Meager access controls on folders and file systems are leaving organizations wide open to the lateral movement of attackers and malware, according to a new report.

Security firm Varonis analyzed data risk assessments performed by its engineers on 130 companies and 5.5 petabyes of data through 2017. What concerns Varonis technical evangelist Brian Vecci most is that companies left 21% of all their folders open to everyone in the company.

"That's absurd," he says, noting that this openness enables attackers and malware to penetrate one user and spread laterally throughout a network. "In a world where businesses are being taken down by ransomware, how could you possibly let a fifth of your file system be taken down by any one user making a mistake?"

Sensitive folders and files are among the overexposed. Thirty percent of companies leave more than 1,000 sensitive folders accessible to all employees, and 41% have more than 1,000 sensitive files accessible to all employees, according to the report. 

Adding to the risk of attackers' lateral movement is the prevalence of user accounts that are "stale" - inactive, out of use - but still enabled. The Varonis assessments found that 34% of all users fall into this "ghost user" category; almost half (46%) of companies have over 1,000 ghost user accounts. 

Not only are users inactive, but the data is as well - more than half (54%) of companies' data is stale, according to the report. Not only could this be a needless storage expense, but it puts organizations at higher risk of breaches and regulatory compliance violations.

"You ask anyone if they have data retention and destruction policies, everyone raises their hands," says Vecci, "but if you ask 'do you apply these policies to your file systems,' the answer is almost always no." 

His advice is to scan for sensitive data, map all access controls, and turn on monitoring. "In other words, know what you've got," says Vecci. "If you just do these three things, companies would be so much further than they are right now. And it doesn't need to be a big project."

Related Content:

 

 

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

About the Author(s)

Sara Peters

Senior Editor

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law -- a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights