Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

Widespread Account-Sharing Threatens Corporate Security, Revenues

Many users break security defenses by simply handing over their credentials to colleagues, friends, experts say

You've just set up an end user with a new system account. Quick quiz: How will you know if the user is sharing that account with other users?

Account sharing -- the act of giving one's account information to others to save time or money or to bypass security processes -- is pervasive behavior in most organizations and online services, experts say. The problem: Most organizations don't know when it occurs or how widespread the practice is.

In a data leakage study released Wednesday by Cisco Systems, researchers reported that 44 percent of end users have allowed others to use their company-issued computers without supervision. Most of the respondents said they gave access to co-workers, but a significant portion also gave access to friends or family, and 5 percent admitted to giving out their passwords to individuals outside the company.

Recently, AdmitOne, a company that offers biometric authentication by "learning" the specific keystroke patterns of each individual user, has begun using its technology to monitor the actual behavior of account users. Using keystroke analysis, AdmitOne can go beyond simple analysis of IP addresses and tell how many users are accessing a specific account and where they're coming from.

"What we've found from doing assessments at a number of companies is that account sharing is a lot more widespread than most [IT] administrators think," says Matt Shanahan, senior vice president at AdmitOne. "Some IT people are overconfident; they think that there isn't much account sharing going on, or that the risk of the behavior is not that great. Others don't really want to know how much of it is going on because they don't want to have to remediate the problem. But it's happening, whether they want to deal with it or not."

AdmitOne recently did a keystroke analysis assessment at a major automotive exchange that allows buyers, suppliers, and other members of the supply chain to share information by subscribing to a common network. "What we found was that about 33 percent of the accounts on the network were being shared, and that there were 57 percent more users on the network than there were subscribed accounts," Shanahan says. In another assessment, AdmitOne analyzed the use of the multiple listing services (MLS) that realtors use to collect and store data on the sale and purchase of homes and property. In that case, the company found about 12 percent of the licensed MLS accounts were being shared, and there were approximately 15 percent more users in the system than there were licensed accounts.

"We found out, in the course of the assessment, that some realtors were actually selling their [MLS] credentials to other people," Shananan recalls. "It turns out that the information on who buys or sells a house is pretty valuable to other companies, such as moving companies, who are willing to buy their way [into the system]."

The problem with account sharing, Shanahan explains, is that there's really no good way to track it. "You can use IP addresses, which can help you identify problems, but there are a lot of users who use proxies or who move around a lot, so it doesn't really tell you everything you need to know. A lot of organizations don't see it as a problem, partly because they don't really know when it's happening."

For most companies, account sharing is perceived as a back-end security problem. But for companies that rely on online subscriptions as a primary revenue stream, account sharing can mean lost income. "If you're running The Wall Street Journal or World of Warcraft, and you've got multiple people sharing a single subscription, you're losing customers," Shanahan observes. In one assessment, AdmitOne estimated the losses associated with account sharing at more than $8 million, he says.

What can IT people do to mitigate the occurrence of account sharing? The first thing you need is a policy, Shanahan says. "There are situations where account sharing makes sense," he notes. "The key is that you want to define who should have access to the account, whether it's one person or several."

The next step, Shanahan adds, is to add an enforcement mechanism. "Multifactor authentication is a good first step," he says. "Make sure you have a method for ensuring that only the people who are authorized to use the account can use it." Analysis of IP addresses and user locations can help establish logon patterns and identify anomalies, he observes.

Over time, more companies may look to forms of user identification -- such as keystroke authentication -- to establish who's using their accounts, says Shanahan, who clearly has a dog in that fight. "Companies are going to need a way to establish who's using their systems, and who's accessing the data," he says. "In the past, companies have used keystroke authentication primarily for controlling access, but we think it has a lot of potential as a means of monitoring the way accounts are being used."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8071
PUBLISHED: 2019-10-17
Adobe Download Manager versions 2.0.0.363 have an insecure file permissions vulnerability. Successful exploitation could lead to privilege escalation.
CVE-2019-10752
PUBLISHED: 2019-10-17
Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.
CVE-2019-12611
PUBLISHED: 2019-10-17
An issue was discovered in Bitdefender BOX firmware versions before 2.1.37.37-34 that affects the general reliability of the product. Specially crafted packets sent to the miniupnpd implementation in result in the device allocating memory without freeing it later. This behavior can cause the miniupn...
CVE-2019-13657
PUBLISHED: 2019-10-17
CA Performance Management 3.5.x, 3.6.x before 3.6.9, and 3.7.x before 3.7.4 have a default credential vulnerability that can allow a remote attacker to execute arbitrary commands and compromise system security.
CVE-2019-15626
PUBLISHED: 2019-10-17
The Deep Security Manager application (Versions 10.0, 11.0 and 12.0), when configured in a certain way, may transmit initial LDAP communication in clear text. This may result in confidentiality impact but does not impact integrity or availability.