Hackers will typically look for the easiest and quietest route in to establish a foothold in an organisation. One such route is through hacking user and service accounts that are no longer in use. In this article, Matt Lock, director of sales engineers at Varonis, looks into the issue and offers advice on understanding account ‘behaviour’ in order to spot malicious activity
The NHS has been on high alert for fresh cyber threats after last year’s WannaCry outbreak. But it doesn’t take a major global ransomware attack to threaten patient data.
One of the most-often-overlooked areas is the risk presented by ‘stale enabled users’ – old user accounts that are no longer being used, but still have complete access to the network.
Ghost users represent a serious security risk because they offer an easy way in for cyber criminals
Research from Varonis found that across 80 organisations in different industries, on average 26% of all accounts were stale. In one case, this number shot up to 90% of all accounts.
These old accounts, also termed ‘ghost users’, are a widespread problem in the NHS.
Last August, an assessment of 64 NHS organisations by NHS Digital found that 17% of all user accounts had not been used in the last 12 months.
Ghost users represent a serious security risk because they offer an easy way in for cyber criminals.
As these accounts have typically been forgotten about, their activity generally goes unnoticed. This makes them an ideal way for hackers to test the water of a network without generating alerts, before gaining a foothold and moving around an organisation without being detected.
It’s fairly easy for an external attacker to find the ghosts on the network, as a bit of digging through social media will quickly reveal who has recently left an organisation. From there the attacker can usually guess the format and structure of the organisation’s user accounts – something made easier by the tendency for poor password practices.
NHS Digital’s report found that even at system admin level, 10% were using weak passwords.
Stale accounts can also be exploited by the former users themselves.
Misusing access to confidential medical data is a frequent problem, even with current staff, to the extent that the Information Commissioner’s Office (ICO) felt it necessary to point out it was a criminal offence last year. Former employees may check if their old accounts are still active out of curiosity, and this leaves the door open for the theft of sensitive data.
Health records can be sold for a quick profit on the dark web, where they are one of the most-popular commodities among criminals
Health records can be sold for a quick profit on the dark web, where they are one of the most-popular commodities among criminals.
This risk is exacerbated further by the fact that most user accounts have access to far more data than they need for their job role.
Our research found that 47% of organisations had at least 1,000 sensitive files open to every employee, with millions of folders open to global access groups.
Exorcising the ghosts
Ghost users are usually the result of a lack of communication across the organisation.
IT departments are generally reliant on departments such as HR to direct them towards accounts that should be closed, and without proper processes in place this is commonly overlooked.
Running an Active Directory script can quickly highlight which accounts have not been accessed within an established time period, but many departments which are already feeling over-stretched and low on resources may not get around to deactivating the accounts.
Tackling old accounts requires an automated approach, as removing them manually is a very time-consuming task – especially in larger healthcare organisations that are likely to have seen regular staff turnover across a number of years.
Tackling old accounts requires an automated approach, as removing them manually is a very time-consuming task – especially in larger healthcare organisations that are likely to have seen regular staff turnover across a number of years
Organisations should ensure they have established proper procedures to have account access revoked as part of the employee departure process, and should also make the identification of stale user accounts part of an ongoing IT check up to ensure the environment is manageable. Likewise, implementing a least privilege approach will limit any potential misuse by ensuring accounts can only access as much data as is strictly required.
Gaining firm control of how accounts are created, used, and deleted will enable the healthcare sector to avoid being haunted by ghost users, and will drastically reduce the threat against the sensitive and private data they hold.