Before the Next Breach

Ghost Users in the Machine

by Luke Truan

Once they have breached a company’s network, attackers or malware can easily move laterally through a network thanks to unsecured folders and an abundance of “ghost users” – inactive but enabled users.

A 2018 study, Global Data Risk Report from Varonis, revealed how common it is for corporate networks to contain over exposed, unprotected files, folders, and user accounts. In the report, Varonis examined Data Risk Assessments performed by Varonis engineers throughout 2017 to measure and quantify exposed critical information and sensitive files, and evaluate what companies are doing (or not doing) to secure their most critical data.

The overexposed files analyzed in the report contained sensitive information where 41% of the organizations had at least 1,000 sensitive files open to all employees, 58% of organization had more than 100,000 folders open to all employees and 21% of folders were accessible to every employee.

This openness enables attackers and malware to penetrate one user account and spread laterally throughout an entire organization.

Another takeaway from the study is the high number of inactive, but stale user accounts. In the data risk report, they found that 34% of user accounts are stale, meaning the accounts are enabled, but they represent accounts of former employees or other stale “ghost users” who still have access to files and folders. Surprisingly, 65% of companies in the assessment reported having over 1,000 stale user accounts. During the security and risk assessments that I have conducted, these “ghost users” accounts are discovered in every organization assessed.

Additionally, the inactive and enabled “ghost users” are highly targeted and sought after by attackers for lateral movement. It is easy for these accounts to go unnoticed daily while they provide access to computers, files, folders, email and other data. Discovering and eliminating these “ghost users” is an essential step in improving your organization’s security posture and is easily overlooked.

In addition to “ghost users” the Varonis study discovered that 49% of companies have over 10,000 folders with unresolved SIDS and 57% of companies have over 1,000 folders with inconsistent permissions. Overtime access requirements change as people are assigned to new projects, get promoted, change roles or departments and leave an organization.

“Too many organizations are drowning in an ocean of unsecured and overexposed data, yet have little or no indication that they’re in danger,” said John Carlin, former Assistant Attorney General for the U.S. Department of Justice’s National Security Division and currently chair of Morrison & Foerster’s global risk & crisis management practice.

Another area of concern is password policy. The Varonis study also found that 46% of organizations had more than 1,000 users with passwords that never expire. For organizations that have unpatched Internet-facing webservers, inadequate identity and access management, weak or non-existent password policies and stale or misconfigured firewall policies it is even easier for threat actors (attackers) to breach your organization.

A common practice in organizations is to set passwords to never expire. The Varonis assessment found that 65% of companies have over 500 users with password that never expire. Additionally, when conducting our own security assessments for companies, across multiple industries, we discover most organization have adopted this philosophy when it comes to password policy.

In addition to looking for passwords set to never expire for user accounts, email address risk should also be part of any assessment. During an assessment, one of the steps performed is an email exposure test that highlights which email accounts in your organization have been a part of a reported breach. Keep in mind that the first part of an email address of typically your user name. However, it is become more common to use a variation of the user’s name. With a password policy that includes passwords set to never expire and the number of breaches that occur every day, not changing your password increases your user account and organization’s risk exponentially.

In the 2019 Global Data Risk Report from Varonis, the results were very similar. For an in-depth look into the security posture and risk of your organization, contact a cyber security professional today!

Reference Section

1. 2018 Varonis Case Study

 https://www.varonis.com/58-of-organizations-have-more-than-100000-folders-open-to-every-employee-reveals-varonis-data-risk-report/

2. 2019 Varonis Case Study

https://info.varonis.com/hubfs/Varonis%202019%20Global%20Data%20Risk%20Report.pdf

3. Varonis Global Data Risk Report

https://info.varonis.com/hubfs/2018%20Varonis%20Global%20Data%20Risk%20Report.pdf