Operations //

Identity & Access Management

4/4/2018
08:40 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

One-Third of Internal User Accounts Are 'Ghost Users'

Attackers and malware can easily move laterally through an organization, thanks to inadequate access controls on file systems and a proliferation of inactive but enabled users.

Meager access controls on folders and file systems are leaving organizations wide open to the lateral movement of attackers and malware, according to a new report.

Security firm Varonis analyzed data risk assessments performed by its engineers on 130 companies and 5.5 petabyes of data through 2017. What concerns Varonis technical evangelist Brian Vecci most is that companies left 21% of all their folders open to everyone in the company.

"That's absurd," he says, noting that this openness enables attackers and malware to penetrate one user and spread laterally throughout a network. "In a world where businesses are being taken down by ransomware, how could you possibly let a fifth of your file system be taken down by any one user making a mistake?"

Sensitive folders and files are among the overexposed. Thirty percent of companies leave more than 1,000 sensitive folders accessible to all employees, and 41% have more than 1,000 sensitive files accessible to all employees, according to the report. 

Adding to the risk of attackers' lateral movement is the prevalence of user accounts that are "stale" - inactive, out of use - but still enabled. The Varonis assessments found that 34% of all users fall into this "ghost user" category; almost half (46%) of companies have over 1,000 ghost user accounts. 

Not only are users inactive, but the data is as well - more than half (54%) of companies' data is stale, according to the report. Not only could this be a needless storage expense, but it puts organizations at higher risk of breaches and regulatory compliance violations.

"You ask anyone if they have data retention and destruction policies, everyone raises their hands," says Vecci, "but if you ask 'do you apply these policies to your file systems,' the answer is almost always no." 

His advice is to scan for sensitive data, map all access controls, and turn on monitoring. "In other words, know what you've got," says Vecci. "If you just do these three things, companies would be so much further than they are right now. And it doesn't need to be a big project."

Related Content:

 

 

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
4/6/2018 | 12:29:43 PM
The ghost in the machine
Thanks Sara - as we know from so many of the DR Webinar presenters: "It's hard to protect assets if you don't know what you have."  We could add: "or what we forgot we had", to that truism. 

From my perspective, much of it comes down to failures in enterprise modeling, and improper integration of business-rules.  Both should be application domain specific; however, the customizable template approach is a deeply rooted mindset.   

If you think in terms of instances, rather than types, you're more likely to set, regulate and update (via business rules), appropriate access and permissions for Peters, Sara (whatever her status and responsibilities at a given point in time), than for an account under the "Senior Editor" type (with assumed requirements thought to be generic to anyone holding that job title).  It's much harder to compromise and exploit the specific, rather than the generic, or to have an associated vulnerability or attack go unnoticed - a lot harder to hide "the ghost in the machine".
dmddd
50%
50%
dmddd,
User Rank: Apprentice
4/4/2018 | 9:48:27 PM
Providing references
Hi Sara, Thanks for your interesting article. Would you mind provide the references of the reports you cite (ideally accompanied with a URL)? Best regards, David
dmddd
50%
50%
dmddd,
User Rank: Apprentice
4/4/2018 | 9:48:26 PM
Providing references
Hi Sara, Thanks for your interesting article. Would you mind provide the references of the reports you cite (ideally accompanied with a URL)? Best regards, David
SecureBlock
50%
50%
SecureBlock,
User Rank: Apprentice
4/4/2018 | 4:02:48 PM
Couldn't agree more and no one "trick" will fix it
Ask anyone if they have policies regarding file archive and destruction and everyone raises their hands.  Just like if you asked if they have policies for user management, in particular account deprovisioning and most if not all would raise their hands as well. Just like the first example however it is about true execution against the policy and the ability to execute these functions with a high degree of trust and acccuracy.  User Governance and User Management alone will never be enough to completely negate the "ghost account" or orphaned account concern.  This is why having as much intellegence, machine learning, and behavioral analysis built into your access control systems is vital.  If the maintenance checks and balances fail, then you know in real time the operational intellegence protecting the systems will be able to detect and respond to the usage of those ghost accounts.  

Identity Security Automation is the Intersecting of access data, identity data, server data, and information ontained at the time of authentication thus allowing the organziaitons greater ability to detect and respond.  Thanks for putting a light on a problem that has been around for decades and showing how attackers are using this to their advantage.

 
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Number of Retailers Impacted by Breaches Doubles
Ericka Chickowski, Contributing Writer, Dark Reading,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14505
PUBLISHED: 2018-07-22
mitmweb in mitmproxy v4.0.3 allows DNS Rebinding attacks, related to tools/web/app.py.
CVE-2018-14500
PUBLISHED: 2018-07-22
joyplus-cms 1.6.0 has XSS via the manager/collect/collect_vod_zhuiju.php keyword parameter.
CVE-2018-14501
PUBLISHED: 2018-07-22
manager/admin_ajax.php in joyplus-cms 1.6.0 has SQL Injection, as demonstrated by crafted POST data beginning with an "m_id=1 AND SLEEP(5)" substring.
CVE-2018-14492
PUBLISHED: 2018-07-21
Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, and AC10 through V15.03.06.23_CN devices have a Stack-based Buffer Overflow via a long limitSpeed or limitSpeedup parameter to an unspecified /goform URI.
CVE-2018-3770
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.