‘Ghost Users’ and Non-Expiring Passwords a Major Security Issue for Most Businesses

User and service accounts that are inactive and enabled (“ghost users”) are prime targets for penetration and lateral movement, researchers say. But adversaries also have a different breed of user accounts in their crosshairs: accounts with non-expiring passwords.

Ghost user accounts – that IT forgot to delete or disable – lie dormant but may still provide access to systems and data. Stale, but still enabled, user accounts are a great way for hackers to gain a foothold in an infrastructure, according to new research from Varonis. Worse still, stale user accounts that are no longer active also create noise for threat detection mechanisms. As many as 65% of companies have over 1,000 stale user accounts.

“Hunting and eliminating ghost users is a security step organizations often overlook. If these accounts are left unmonitored, attackers can steal data or cause disruption without being detected - placing your organization at risk,” according to the data risk report.

Access overload is another major problem at businesses big and small. According to the research, attackers look for unsecured files and folders the second they land on the target network. Despite new regulations set to punish companies that fall victim to cyber attacks, as many as 88% of companies with over 1 million folders have over 100,000 folders open to everyone in the organization, the survey showed. In other words, a single brute-forced account can give attackers access to this data. For many businesses, this data often includes critical information about employees, customers, projects, clients, or other business-sensitive content.

“IT professionals estimate it takes about 8-6 hours per folder to locate and manually remove global access groups: they must identify users that need access, create and apply new groups, and populate them with the right users. To achieve least privilege, it’s critical to restrict access to only those who need it: manage users, eliminate broken inheritance and permissions inconsistencies, and lock down sensitive data,” researchers advise.

Another highlight from the report - accounts with non-expiring passwords set the stage for brute-force attacks and give bad actors access to vast amounts of sensitive data, especially if those accounts are of the admin variety. Passwords that aren’t rotated also have a higher likelihood of showing up in breached password dumps, researchers say. Worryingly, 65% of companies have over 500 users with passwords that never expire, and 46% of companies have over 1,000 users with passwords that never expire. Of those users that do have password expiry enabled, 14% have expired passwords. Researchers advise IT departments to set expiration dates for all user account passwords, enforce password length and complexity requirements, deploy of multi-factor authentication, and monitor login activity.

Recent research from Ponemon Institute reveals that insider threats a major problem for business, with this threat increasing in magnitude and costs in recent times. Insider threats are defined as both malicious and negligent employees, but also partners and third parties. The majority of respondents (64 percent) in Ponemon’s study cited the negligent insider as the root of most incidents, followed by criminal and malicious insiders (23 percent) and employee and contractor negligence (13 percent).