Click here to receive your FREE subscription to Campus Technology
Security Research
Orphaned Accounts Are a Growing Security Concern, Study Says
5/22/2008
Symark's Libenson said the company was compelled to look at the issue after talking to several IT auditors and seeing just how pervasive the orphaned account problem is.
One of the most sobering results of the study that demonstrated that orphaned accounts represent a major security and compliance challenge was the fact that 27 percent of the 850 IT, HR and C-level executives surveyed believe there are more than 20 orphaned accounts that exist in their organization but don't know how to find them.
Security experts agree that in a Windows environment, Active Directory is effective in finding orphaned accounts, more so than Linux and Unix programs.
Libenson said, "The problem is you have to know you have orphan accounts before you can use those tools."
More often than not, a spare "Admin" or "Jleffall" individual user account can sit on a database for weeks, months and perhaps years with nobody noticing. Such accounts are often overlooked as potential threat vectors.
What IT shops--and the C-level suites that ultimately govern them--can do is tighten policies and procedures that would trigger work orders whenever an employee leaves an organization. This way, automated reminders will show up and a person's access can be shut down posthaste.
Thoroughly updated and monitored super-user and administrative logs are also good to keep around, in electronic form and perhaps in a binder, so that there is proof of system activity and a trail to the source.
Additionally, periodic identity mapping projects designed to identify many different kinds of user resources can be pivotal--not only in passing an audit with flying colors, but in making sure your enterprise doesn't go the way of LendingTree. Such mapping projects would include matching valid and assigned accounts, orphaned accounts, dormant accounts, administrative resources and system resources with actual activity.
"It's true that outside of the audit world, this doesn't come up a lot," said Jeff Nielsen, senior product manager for Symark. "But when it does come up outside of the audit world, outside of the IT department and outside of, say, the common directory program in Active Directory, it's too late."
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. You can contact Jabulani at editor@entmag.com.
Cite this Site
copy text (above) for proper citation
Recommended Reading
- Tufts Grants Rights for Mileage-Increasing Transportation Technology to Electric Truck
Tufts University has optioned rights to a technology that can recharge the batteries of any hybrid electric and electric-powered vehicle while it is driven. The Tufts-developed technology could increase by 20 percent to 70 percent the miles per gallon or total driving range performance of vehicles like the Honda Civic, Ford Escape, and Toyota Prius hybrids and the Tesla Motors and Phoenix Motorcars electric vehicles.
- U Florida and Cyntellect Collaborate to Unlock Mysteries of Cancer Stem Cells
The University of Florida has entered into a research agreement with life sciences company Cyntellect. The university's Interdisciplinary Center for Biotechnology Research will work with the company to focus on a variety of research areas including the purification and analysis of cancer stem cells (CSCs), rare cells believed to be directly involved in propagating cancers.
- George Mason U Receives Grant To Deploy Intergraph Apps for Intelligence Curriculum
George Mason University (GMU) in Fairfax, VA has been awarded a grant from Intergraph to enable students enrolled in GMU's Geospatial Intelligence Graduate Certificate program to use the company's geospatial production and exploitation software as part of their core curriculum.
- Institute for Cyber Security at U Texas, San Antonio Opens Incubator
The University of Texas at San Antonio (UTSA) Institute for Cyber Security (ICS) has launched a new Internet security incubator. The incubator was developed to commercialize promising technologies that address major cyber security and privacy issues. The first companies to enter the incubator are Denim Labs and SafeMashups.
- ISO/IEC Publishes Office Open XML Standard
ISO/IEC has published the Office Open XML (OOXML) file format standard, formally known as ISO/IEC 29500:2008. It describes file formats originally designed by Microsoft for its Office 2007 productivity suite, which are used in presentation, spreadsheet and word processing applications.
- Dynamics NAV 2009 ERP Coming Next Month
Microsoft exec Kirill Tatarinov Wednesday described some new features to expect in the forthcoming Microsoft Dynamics NAV 2009 enterprise resource planning solution. He gave the keynote address at Microsoft's Convergence 2008 event in Copenhagen, Denmark.
