An orphaned account is an invitation to disaster. When the need for the account passes (i.e, when an employee leaves or is reassigned), that access to systems and data is no longer needed. This is when the account becomes orphaned. It is important to remove this access because it provides an entry point that no longer has a business purpose. Any access through this account is, by definition, a breakdown in the businesses’ protection of its valued data. The orphaned account also provides a more likely attack surface than a current user account, especially when the account becomes orphaned due to an involuntary departure of an employee. A terminated employee may harbor anger or animosity toward the company and their conduct is no longer constrained by fear of losing their job. We like to break orphaned accounts down into three categories: orphaned user accounts, orphaned privileged accounts and orphaned access.
Orphaned user accounts are what you would expect—the official user account that a person was given upon joining the company. These accounts are usually the easiest to manage as they are a known quantity. For example, when “John Smith” leaves a company, most IT organizations should have a straightforward process to remove his user account and any associated items (for example, all email accounts). However, a recent survey we sponsored revealed that many companies actually do not have an effective process to deal with orphaned user accounts. In fact, 61 percent of respondents said it took more than a couple of days to remove orphaned user accounts, and 12 percent said it took longer than one month. These figures are troubling when you consider that a recent Gartner report suggested “most attackers will do all they plan to do with a known password within only a few days,” so the disabling of orphaned user accounts needs to happen within a few hours after the employees departure to avoid exploitation.
Orphaned privileged accounts and orphaned access are trickier problems to solve. These issues generally revolve around people that are granted systems maintenance responsibilities at some point during their tenure with a company. Orphaned privileged accounts are highly-privileged accounts like a root shadow account that an administrator may create on a system simply to make various tasks a little easier. The main problem with these accounts is that they are created outside of the normal process, so if that person leaves or moves to a different role where that access is no longer required, there is no record of this account being created and it most likely will not be removed. Often, these accounts are given names that make them harder to detect. This also makes them harder to identify when the appropriate time comes to remove them.
Orphaned access is the relative of orphaned privileged accounts. This refers to access to common privileged accounts such as root, Oracle sys and Cisco enable in organizations that still share the passwords for these accounts. Unless a company is diligent in rotating all the passwords to privileged accounts every time an IT staffer leaves or when their role in the organization changes, a company is very susceptible to misuse of this privileged access. In our survey that I cited earlier, 62 of respondents stated they were still sharing privileged among their IT staff. This is a disaster waiting to happen.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.