Click here to receive your FREE subscription to Campus Technology
Security Research
Orphaned Accounts Are a Growing Security Concern, Study Says
5/22/2008
IT auditors examine accounts just like their financial auditing counterparts. Instead of trial balances, they look at system user accounts to determine who signed on when and who did what.
But what about who's logging into what account and when? More important, are these people even around anymore?
These are some of the questions that a new study by security software and consultancy firm Symark International attempts to address. The report, released Monday, revealed that 42 percent of the organizations surveyed have no idea how many orphaned accounts they have. Moreover, more than a quarter of respondents said they don't have a set procedure to locate or turn off orphaned accounts.
According to Symark and IT auditors, accounts that are no longer being used by former employees as well as temporary consultant sign-on accounts, among others, are a growing problem at enterprises large and small.
"We're talking about plumbing here so it's not a sexy thing," said Ellen Libenson, vice president of product management at Symark. "But it's something security, database and system administrators should look at and take very seriously. It's not sexy until something goes wrong."
One need only look at what happened at online mortgage and loan company LendingTree to see a perfect example of how accounts with no corresponding users can cripple an enterprise. According to a letter LendingTree released in April, a few of the company's former employees possibly helped a small number of their mortgage lender friends gain access to the personal information of LendingTree customers. They did this by sharing passwords and accessing different data and proprietary documents between October 2006 and early 2008. The company did not reveal how many individuals were complicit or the number of records affected.
The situation exemplifies something that is endemic in many IT shops where administrators don't have the time to shut off accounts or there's neither proper communication between IT and HR about who's coming and going, nor formal change management procedures in place.
"This issue is pretty common in many places in varying degrees," said Robert Green, a senior manager at PricewaterhouseCoopers' IT audit practice in Los Angeles. "Another thing that is scary is nameless admin accounts that are set up for development and programming purposes that just tend to sit there. No name is assigned to them so it's a tougher audit trail to traverse and, most of the time, you don't know who logged in when."
In cases like these, an IT auditor doing a security review may check off these orphaned accounts as anything from a minor "exception" in testing to a "significant deficiency," which--in the Sarbanes-Oxley and compliance world--can lead to a material weakness that has to be disclosed to shareholders and the public.
Recommended Reading
- Sun, Stanford Working To Archive History
In May in San Francisco, experts from leading universities, libraries, and research institutions around the world met as part of an ongoing effort to address a pressing issue: archiving the world's history, right up to today.
- The Quilt Coalition Rolls Out XO Communications for High-Capacity Network Services
The Quilt, a coalition of 28 regional network organizations, has added XO Communications Services to its authorized vendor list. The Quilt represents 200 universities and thousands of other educational institutions across the United States. With this new relationship, Quilt members can purchase XO's high-speed IP transit and network transport services at competitive rates.
- Wimba Classroom 5.2 Expands Classroom Capture Support, Adds MP3 Downloads
At the NECC 2008 conference in Texas this week, Wimba launched a new version of Wimba Classroom, the virtual classroom component of the company's Collaboration Suite. The new 5.2 release expands options for classroom capture and adds a variety of other functional and ease of use features.
- Automation Chimera: Education Is Not Management
The lure of automating workflow online so human intervention is minimized is continually reinforced in the minds of higher education administrators by examples of automated campus systems such as financials, student information systems, and other enterprise systems. But what's good for management is not always good for learning.
- Cognos Releases BI Software for Linux-based IBM System z Mainframe
Cognos, which IBM acquired in January, has released an update to its business intelligence software that will run on the Linux operating system on IBM System z mainframes. IBM Cognos 8 BI was being developed by the two companies prior to the acquisition, but assimilation of Cognos into IBM accelerated development.
- Facebook and Collegiality: A Serendipitous Social Niche
Facebook is a way to greet a colleague as if she or he is on your own campus: a wave at a distance, a hello at the corner burrito place, a honk as you both leave the campus parking lot. Informal collegiality has been extended over the miles.
