Before The Next Breach
Ghost Users in the Machine
By Luke Truan
Once they have breached a corporate network, attackers or malware can easily move laterally through a network thanks to unsecured folders and an abundance of Ghost Users – inactive, but enabled users.
A recently released study, 2018 Global Data Risk Report from Varonis, revealed how common it is for corporate networks to contain over exposed, unprotected files, folders, and user accounts. In the report, Varonis examined Data Risk Assessments performed by Varonis engineers throughout 2017 to measure and quantify exposed critical information and sensitive files, and evaluate what companies are doing (or not doing) to secure their most critical data.
The overexposed files analyzed in the report contained sensitive information where 41% of the organizations had at least 1,000 sensitive files open to all employees, 58% of organization had more than 100,000 folder open to all employees and 21% of folders were accessible to every employee.
This openness enables attackers and malware to penetrate one user account and spread laterally throughout an entire organization.
Another takeaway from the study is the high number of inactive, but stale user accounts. In the data risk report, they found that 34% of user accounts are stale, meaning the accounts are enabled, but they represent accounts of former employees or other stale “ghost” users who still have access to files and folders. Suprisingly, 65% of companies in the assessment reported having over 1,000 stale user accounts. During Headwaters Group’s own security and risk assessments, these “ghost user” accounts are discovered in every organization we assess.
Additionally the inactive and enabled Ghost Users are highly targeted and sought after by attackers for lateral movement. It is easy for these accounts to go unnoticed on a daily basis while they provide access to computers, files, folders, email and other data. Discovering and eliminating these ghost users is an essential step in improving your organization’s security posture and is easily overlooked.
In addition to Ghost Users the Varonis study discovered that 49% of companies have over 10,000 folders with unresolved SIDS and 57% of companies have over 1,000 folders with inconsistent permissions. Overtime access requirements change as people are assigned to new projects, get promoted, change roles or departments and leave an organization.
“Too many organizations are drowning in an ocean of unsecured and overexposed data, yet have little or no indication that they’re in danger,” said John Carlin, former Assistant Attorney General for the U.S. Department of Justice’s National Security Division and currently chair of Morrison & Foerster’s global risk & crisis management practice.
Another area of concern is password policy. The Varonis study also found that 46% of organizations had more than 1,000 users with passwords that never expire. For organizations that have unpatched Internet-facing webservers, inadequate identity and access management, weak or non-existent password policies and stale or misconfigured firewall policies it is even easier for threat actors (attackers) to breach your organization.
A common practice in organizations is to set passwords to never expire. The Varonis assessment found that 65% of companies have over 500 users with password that never expire. Additionally, when conducting our own security assessments for companies, across multiple industries, we discover most organizations have adopted this philosophy when it comes to password policy.
In addition to looking for passwords set to never expire for user accounts, email address risk should also be part of any assessment. During our assessments, one of the steps performed is an email exposure test that highlights which email accounts in your organization have been a part of a reported breach. Keep in mind that the first part of an email address of typically your user name. With a password policy that includes passwords set to never expire and the number of breaches that occur every day, not changing your password increases your user account and organization’s risk exponentially.
For an in-depth look into the security posture and risk of your organization, schedule a call with a Headwaters Group security professional today.
1. Varonis Case Study
2. Varonis Global Data Risk Report