Orphaned Accounts Are a Growing Security Concern, Study Says

IT auditors examine accounts just like their financial auditing counterparts. Instead of trial balances, they look at system user accounts to determine who signed on when and who did what.

But what about who's logging into what account and when? More important, are these people even around  anymore?

These are some of the questions that a new study by security software and consultancy firm Symark International attempts to address. The report, released  Monday, revealed that 42 percent of the organizations surveyed have no idea how many orphaned accounts they have. Moreover, more than a quarter of respondents said they don't have a set procedure to locate or turn off orphaned accounts.

According to Symark and IT auditors, accounts that are no longer being used by former employees as well as temporary consultant sign-on accounts, among others, are a growing problem at enterprises large and small.

"We're talking about plumbing here so it's not a sexy thing," said Ellen Libenson, vice president of product management at Symark. "But it's something security, database and system administrators should look at and take very seriously. It's not sexy until something goes wrong."

One need only look at what happened at online mortgage and loan company LendingTree to see a perfect example of how accounts with no corresponding users can cripple an enterprise. According to a letter LendingTree released in April, a few of the company's former employees possibly helped a small number of their mortgage lender friends gain access to the personal information of LendingTree customers. They did this by sharing passwords and accessing different data and proprietary documents between October 2006 and early 2008. The company did not reveal how many individuals were complicit or the number of records affected.

The situation exemplifies something that is endemic in many IT shops where administrators don't have the time to shut off accounts or there's neither proper communication between IT and HR about who's coming and going, nor formal change management procedures in place.

"This issue is pretty common in many places in varying degrees," said Robert Green, a senior manager at PricewaterhouseCoopers' IT audit practice in Los Angeles. "Another thing that is scary is nameless admin accounts that are set up for development and programming purposes that just tend to sit there. No name is assigned to them so it's a tougher audit trail to traverse and, most of the time, you don't know who logged in when."

In cases like these, an IT auditor doing a security review may check off these orphaned accounts as anything from a minor "exception" in testing to a "significant deficiency," which--in the Sarbanes-Oxley and compliance world--can lead to a material weakness that has to be disclosed to shareholders and the public.

Symark's Libenson said the company was compelled to look at the issue after talking to several IT auditors and seeing just how pervasive the orphaned account problem is.

One of the most sobering results of the study that demonstrated that orphaned accounts represent a major security and compliance challenge was the fact that 27 percent of the 850 IT, HR and C-level executives surveyed believe there are more than 20 orphaned accounts that exist in their organization but don't know how to find them.

Security experts agree that in a Windows environment, Active Directory is effective in finding orphaned accounts, more so than Linux and Unix programs.

Libenson said, "The problem is you have to know you have orphan accounts before you can use those tools."

More often than not, a spare "Admin" or "Jleffall" individual user account can sit on a database for weeks, months and perhaps years with nobody noticing. Such accounts are often overlooked as potential threat vectors.

What IT shops--and the C-level suites that ultimately govern them--can do is tighten policies and procedures that would trigger work orders whenever an employee leaves an organization. This way, automated reminders will show up and a person's access can be shut down posthaste.

Thoroughly updated and monitored super-user and administrative logs are also good to keep around, in electronic form and perhaps in a binder, so that there is proof of system activity and a trail to the source.

Additionally, periodic identity mapping projects designed to identify many different kinds of user resources can be pivotal--not only in passing an audit with flying colors, but in making sure your enterprise doesn't go the way of LendingTree. Such mapping projects would include matching valid and assigned accounts, orphaned accounts, dormant accounts, administrative resources and system resources with actual activity.

"It's true that outside of the audit world, this doesn't come up a lot," said Jeff Nielsen, senior product manager for Symark. "But when it does come up outside of the audit world, outside of the IT department and outside of, say, the common directory program in Active Directory, it's too late."

About the Author

Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.

Featured

  • interconnected cloud icons with glowing lines on a gradient blue backdrop

    Report: Cloud Certifications Bring Biggest Salary Payoff

    It pays to be conversant in cloud, according to a new study from Skillsoft The company's annual IT skills and salary survey report found that the top three certifications resulting in the highest payoffs salarywise are for skills in the cloud, specifically related to Amazon Web Services (AWS), Google Cloud, and Nutanix.

  • AI-inspired background pattern with geometric shapes and fine lines in muted blue and gray on a dark background

    IBM Releases Granite 3.0 Family of Advanced AI Models

    IBM has introduced its most advanced family of AI models to date, Granite 3.0, at its annual TechXchange event. The new models were developed to provide a combination of performance, flexibility, and autonomy that outperforms or matches similarly sized models from leading providers on a range of benchmarks.

  • landscape photo with an AI rubber stamp on top

    California AI Watermarking Bill Garners OpenAI Support

    ChatGPT creator OpenAI is backing a California bill that would require tech companies to label AI-generated content in the form of a digital "watermark." The proposed legislation, known as the "California Digital Content Provenance Standards" (AB 3211), aims to ensure transparency in digital media by identifying content created through artificial intelligence. This requirement would apply to a broad range of AI-generated material, from harmless memes to deepfakes that could be used to spread misinformation about political candidates.

  • happy woman sitting in front of computer

    Delightful Progress: Kuali's Legacy of Community and Leadership

    CEO Joel Dehlin updates us on Kuali today, and how it has thrived as a software company that succeeds in the tech marketplace while maintaining the community values envisioned in higher education years ago.