More cloud applications and platforms means more orphaned accounts. We talk about why that’s a problem – and what to do about it.
In August of 2017, unknown attackers compromised front-end workstations on Singapore Health’s (SingHealth’s) IT network. The attackers then laid low for months before springing into action later the same year. Then, between mid December 2017 and July, 2018, the attackers expanded their reach within SingHealth’s IT network in a carefully orchestrated attack. Between June 27 and July 4, 2018, the personal information of almost 1.5 million patients was stolen, including their names, patient numbers, addresses and medications. The victims included Singapore’s Prime Minister, whose personal and outpatient medication data was targeted by the hackers.
A subsequent report on the incident prepared by a Committee of Inquiry (COI) identified a number of factors that contributed to the attack. SingHealth had a plethora of vulnerable software within its network. Its IT staff and incident response teams were slow to recognize the seriousness of the incident and escalate it. One big contributor to the success of the attackers was the presence of orphaned accounts within SingHealth’s environment. In fact, the report issued by the agency concluded that an orphaned service account with administrative access to SingHealth’s Citrix remote access server played a critical role in the success of the attack.
Orphaned – and unused accounts are a common problem for organizations of all sizes. They lurk inside applications or cloud platforms. Some are linked to actual users or administrators who are no longer with your organization, or who have moved on to other roles. More and more, we find accounts associated with APIs (application program interfaces) in which the integration to a third party application has lapsed or been discontinued, but the orphaned API-linked account is still active. Still others may be created by default when the application was deployed – but never used.
That was the case at SingHealth. According to the COI report, the Citrix function to which the Service Account corresponded was active on SingHealth’s Citrix infrastructure, but wasn’t being used. Even worse: the Service Account wasn’t governed by the group policy object (or GPO) for password security. That means it did not have to adhere to SingHealth’s strong password policy for administrative accounts.
While the exact means the attackers used to obtain the S.A. account credentials isn’t known, they were observed stealing local administrator password hashes and cracking them using commodity password cracking tools. Once compromised, the service account gave attackers the ability to log in interactively and remotely via RDP (remote desktop protocol). The attackers used the account to log into SingHealth’s network multiple times in late June. It ultimately provided access to a Citrix server from which credentials for a critical account were believed to be stolen, providing “last mile” access to SingHealth’s SCM server, from which the patient data was stolen.
As with SingHealth, the challenge for organizations is to locate orphaned accounts before the attackers do. But organizations also need to identify what practices are creating orphan accounts, or permitting unused and under-used accounts from persisting within your environment.
First: determine whether user and service accounts are de-provisioned automatically when an employee departs or the service is no longer needed. This is a straight-forward proposition. Still, most organizations disable a departing employee’s user account in Active Directory or their Single Sign On (SSO) solution. However, many fail to follow through and delete or disable the accounts the former employee had in specific IT systems and applications.
Whatever the impediments to doing so, organizations need to streamline user- and account deprovisioning to reduce the risk posed by orphaned accounts. Once that policy is in place, your organization needs to conduct frequent audits and reviews to verify that de-provisioning is taking place as intended.
Monitoring for orphaned accounts was difficult enough before the advent of cloud applications and platforms. Today’s new normal of ‘hybrid’ IT environments makes policing orphaned and unused accounts an even bigger challenge.
As IT operations expand to two, five, ten, or more cloud-based applications, the enterprise attack surface also expands and the job of managing user- and service accounts becomes far more difficult. That’s true even with the help of cloud-based identity providers to synchronize on premises and cloud identities. Simply: the rapid expansion of user roles and entitlements that goes along with digital transformation is breaking security and compliance functions, which still rely mostly on manual audits of user entitlements and informal tracking via spreadsheets.
That’s where Zilla comes in. Our software automates all manual access security and compliance tasks, from permission data collection, correlation, and cleanup to access review, reporting and remediation.
With our software, identities retrieved from corporate directories like AD or Okta or from HR systems like Workday, are mapped to application-specific permissions collected directly from individual applications. Specific user- or application identities are mapped to accounts, groups, roles, profiles, and granular entitlements. And Zilla allows organizations to resolve role and group memberships and their mappings to granular permissions. That allows IT teams to grasp the effective access that users have.
In our experience, orphaned and unused accounts turn up frequently in these audits. Once flagged by Zilla, however, these accounts can be marked for attention and access reviews that will lead to their termination.
Orphaned accounts aren’t a new problem, so much as an old problem exacerbated by new technologies and practices. To address the greater risk that comes with greater reliance on cloud based platforms and applications, you need new tools and capabilities. If you are interested in learning more about how Zilla helps companies achieve access security and compliance in a cloud-first world, feel free to contact us!