Orphaned accounts—user accounts that remain active after an employee has left a company—are the dirty little secret of the security and admin side of the IT industry. Disagree? Okay, if an employee left your organization today, how fast would that user account be deactivated? Today? Next week? After next year's security audit?
Symark International surveyed over 850 executives involved with security, IT, or HR and found that only 39 percent of the organizations they represent immediately deactivate a user account when an employee quits or is let go. Orphaned accounts are the proverbial "back door," says Jeff Nielsen, senior product manager at Symark. Almost a quarter of the organizations represented in the survey took one to three days to deactivate a user account. "That's enough of a window for an attacker," Nielsen says.
"We asked a partner question—did they know if any orphaned accounts had been accessed?" adds Nielsen. "Thirty percent had no idea. It only takes one \[breach via an orphaned account\] to make a bad day."
"We speak to auditors at conferences—and we ask, 'What is the biggest oversight you see?' Orphaned accounts," says Symark's Ellen Libenson, vice president of product marketing. Still, she says, when the company looked at the results of its survey, "We were really kind of shocked." Libenson and Nielsen spoke about the survey just before Symark released the results May 19. Forty-two percent of businesses don't know how many orphaned accounts exist within their organization, and 30 percent of respondents said they have no procedure in place to locate orphaned accounts, they said.
"Most of them were our kind of customers—a heterogeneous environment, a little UNIX, a little Windows," Nielsen says. "UNIX is definitely more susceptible to orphaned accounts—some have gone to LDAP but others are deactivating accounts on a machine by machine basis. Windows is a bigger target, but UNIX is a more prized target."
"UNIX admins often have a false sense of security—their UNIX box has never been attacked, UNIX guys say. But that's not true based on what we've seen," says Libenson.
"What happens is, in the big shops I was in, HR would send an email to the UNIX guys and the Active Directory guys to deactivate an account. Then the UNIX guys would dutifully get on it but would be interrupted," Nielsen says, explaining how a routine maintenance issue becomes a security risk.
Obviously, the company is hoping to use the survey results to market its cross-platform identity and access management security products including PowerKeeper, an appliance that creates and secures privileged accounts, and PowerBroker, which lets sys admins delegate privileges without needing to reveal the root password of a UNIX system. They're also hoping to raise awareness. "People don't consider \[orphaned accounts\] risky enough, but we know how attackers can exploit these things," says Libenson, pointing to a recent security breach at TJ Maxx as indicative of the risk of insider attacks. "Insiders know what an organization has and hasn't done—they're looking for the things you haven't done."
To learn more about the survey and Symark's offerings, see the Web site at http://www.symark.com.