Orphaned user accounts pose a cyber risk
An abandoned house is a fantastic opportunity for thieves. And this is precisely the situation that hackers encounter every day with user accounts. Whether business or private, an unused account poses a major cyber risk. It invites hackers to help themselves to what they want. Because cracking the access is no longer a big deal. It is still very common for users to use the same passwords for different access points to web applications. Or for operators to dispense with the additional protection of accounts through one or more factors, in short, two- or multi-factor authentication.
Unused accounts are an invitation to hackers.
In the NIST Cybersecurity Framework, cyber experts describe under AC-2(3): Disable Accounts or under 5.3: Disable Dormant Accounts and 16.9 the criteria for companies to disable or delete accounts to minimise the cyber risk they pose. The recommendation applies to user accounts:
- with expired or terminated contracts
- that are no longer associated with a user or individual
- that are in conflict with applicable organisational rules, in particular the associated authorisations, or
- that have been inactive or unused for a certain period of time.
It should be noted that the operator should have implemented a routine in their system that regularly checks all existing accounts for this security risk. There should be rules across the various accounts that determine when a user account is to be classified as inactive.
The best practice rule for increasing cyber security here is to follow the principle of reducing the system’s attack surface with the fewest privileges and the least functionality.
Accounts should be checked regularly for activity.
The use of accounts can be very individual. The same applies to the purpose and the authorisations that the respective access leads to.
I may use a social media account several times a day, whereas my online banking access is only active when I want to do my banking. The same applies to business accounts, whether they are customer accounts or employee access. Employee accounts are also very sensitive because they open the door to proprietary and secret company data.
BSI basic protection: IT operations should deactivate or delete unused accounts.
According to BSI basic protection (IT-Grundschutz), the legislator has formulated it as a basic requirement that the creation and deletion of user accounts must be regulated by the company’s IT operations. The BSI refers to this as a ‘user ID’, which is clearly assigned to an account. Furthermore, the BSI Basic Protection prescribes that ‘unnecessary user IDs, such as guest accounts set up by default or standard administrator IDs, MUST be suitably deactivated or deleted.’ This information can be found in the IT-Grundschutz module ‘Organisation and Personnel’ ORP.4 Identity and Access Management as a pdf for download.
And on ComputerWeekly, you can read more about the cyber risk of unused or former employee access: orphaned user account or orphaned account.
External user accounts pose a particular risk.
Because orphaned accounts of external employees, partners or suppliers are a common gateway to company and personal data. In most cases, company administrators manage these manually. This poses a twofold security risk: for one thing, manual administration is highly prone to error. Automation combined with user self-service makes it fundamentally more difficult for hackers to gain regular access to the system. For another, a central and usually overburdened administrator is hardly in a position to know whether an external user no longer works at all in the position they held. It is therefore hardly surprising when such unused accounts invite hackers to compromise them.
Compromised accounts are often the gateway to major cyber attacks.
How can this happen? Let’s take a closer look at a successful hacker attack:
In 2023, the Neue Zürcher Zeitung and the publishing house CH Media were the victims of a hacker attack with fatal consequences. Newspaper printing was temporarily suspended. A radio station belonging to the group no longer had access to its music data. Not to mention the typical blackmail scam that the hackers pulled, posting the data of trusted employees on the internet. It started quietly and went unnoticed for a long time (20 days), as with so many other attacks. The hackers used ransomware to encrypt important servers. The security systems used blocked affected accounts, but not all of them. It turned out that the attackers were able to access the NZZ network for the first time via an unused account belonging to an external software supplier. The account in question had only basic access without the protection of a second authentication factor. The hackers had probably captured the account username and password via a phishing attack. Since the security software responsible did not sound an alarm either, the whole case is quite explosive. It shows how experienced cybercriminals have become at getting what they want. And how fragile such a security chain can be if there are just a few weak links.
Essential: Prompt deletion of unused supplier accounts
Since companies are often overwhelmed by the advance of digitalisation, it stands to reason that little attention is paid to the centralisation of services. And how could they not? More than 90% of all companies use an Active Directory to manage their employees. As long as this internal system was well separated from external influences and applications, no problem. However, the use of cloud technologies, the integration of external users and the demand for more automation can cause a manually administered system to falter and reveal major cyber vulnerabilities. The result is uncontrolled growth, as the IT-Grundschutz module describes it: A user usually has accounts for various IT systems that are located in different areas of responsibility. In addition, these are managed by different administrators. From the perspective of Identity & Access Management, this is an absolute nightmare.
Digitalisation: internal and external systems merge
In many cases, the web is a direct source of revenue and thus has a major influence on a company’s business success. As a result, the demand for unrestricted use is in constant conflict with the requirements of security. The BSI writes about the security of web applications: ‘In addition to web applications that are only provided internally via the intranet, for example, there are often fee-based applications on the internet whose availability is of existential importance to the provider. Providers who offer these fee-based services must take comprehensive security measures to minimise the risk of a loss of revenue.’ This shift towards more web-based use of all applications requires different measures from those chosen so far.
Cyber rules for user accounts help keep hackers away.
To summarise, you can write the following security rules for your users’ accounts on your agenda:
- Logout
Remember that your web applications are always equipped with a secure logout that is easily accessible to your users. This ensures that the previously used account is inactive again and does not present a point of attack. A missing logout is comparable to an unlocked front door; when you are out of the house, you surely lock your front door first, don’t you?
- User-Self-Service
Offer your users extensive user self-service. The General Data Protection Regulation (GDPR) even stipulates that users have the right to remove their unused accounts to protect their data. You must ensure that personal data is not simply deleted, but that users are allowed to download it before deletion or that you transform it into a portable state before deletion.
- Permission management
Establish general rules as to which accounts or groups should only have minimal permissions. On the other hand, secure administrative accounts with an appropriate permission model, e.g. PAM, security classes, MFA, …
- Zero Trust
Technically separate access from the associated access authorisations for all accounts. This is in line with the Zero Trust principle and prevents cybercriminals from using a compromised account to spy on the system not only laterally but also vertically and then attack it.
- Inactive Accounts
Behind every application there is a corresponding business model, the purpose of using the application. Depending on the reason for use, a rule is also determined for when an account, i.e. access to the application, is to be classified as inactive or not yet. Then implement an automatic routine that regularly checks all accounts for inactivity.
- User-Life-Cycle
Equip authorisations or account groups (employees, temporary workers, interns, customers, suppliers, etc.) with a timestamp. This means that the system blocks authorisations or accounts after a certain period of inactivity. Escalate the block to a deletion if there is no response even after multiple notifications to the responsible parties (account user and/or responsible administrator).
- Decentral administration
Appoint delegated administrators in the case of external, more distant or unknown users. Delegated administrators (project or team managers, account managers, etc.) are much closer to these users and can assess the situation regarding their account use more accurately. This greatly increases the security of your user accounts. You can learn more about delegated administration here.
IAM systems solve the problem of unused accounts.
All the measures described above can be implemented technically with an IAM system. They are part of the user life cycle, which uses automated routines to store data and accounts centrally, securely and up-to-date. With the appropriate IAM workflows for housekeeping, you can keep everything under control. These and many other cyber security tools are part of our philosophy and the technologies we use, as they correspond to the best practices of cyber security for user accounts.
Want to know more? Feel free to contact us! We look forward to a non-binding conversation with you about the most exciting IAM topics of our time.
That was: Best Practices Cybersecurity – inactive accounts
Background: It is no secret that cybercrime is constantly on the rise. There are industries that are particularly affected, such as the healthcare sector or the public sector. But all companies, especially small and medium-sized ones, are often left high and dry when a group of hackers blocks their access and blackmails them with the publication of sensitive data.