My first blog talked about password cracking and how quickly intruders can get in. Today we are going to discuss the actual accounts. If you heard of Frank Abagnale from popular movies or books, you know he was a real life professional con artist and would easily perform a scam as I explain below to gain access into a target company. The threat has not disappeared since Abagnale’s time. Here we will share methods that hopefully Abagnale would agree with to attempt to keep your organization safe.
First, do you know how many accounts are on your network? How many were added last week or in the last month? Do you know what day accounts are added or typically deleted? Are your administrators following your company policies or do you only have policies for them to follow? I’m guessing that most of you are saying or thinking “I don’t know” or “I hope so.” You may even be thinking to yourself with an uneasy feeling in your gut “We haven’t had any trouble up to this point so we must be doing it right” when in reality you have already been compromised or the attackers just haven’t made it to your network yet. Below we will talk about how having answers to these questions can really help with your computer security posture.
1. How many accounts do you have?
If you don’t know the answer, how do you know if there are extras for intruders to use? Sometimes it is not a one to one ratio for employee to account so simply counting your employees and counting the accounts may prove to be fruitless. There are accounts used to run applications automatically in the background, or test accounts for developers. Therefore, a seemingly easy question like this is much harder to answer than you would think! It’s not uncommon for the intruder to get in and create his own account with full privileges or to continue to hide with full privileges to certain directories and not others. Do you have a process implemented to catch an account like this when it is created? We have solved intrusions in less than a week, which is nearly impossible and hence not as expensive, for companies with more than 40,000 users when they simply monitored for new administrative accounts being created. An intruder can add created accounts to email and also to distribution lists to capture corporate intelligence. If no one monitors, there is little risk of being caught. At a minimum, you need to know how many accounts you should have, how many are regular and how many have administrator or special privileges. Lastly, keep track of temporary accounts – especially if you are a development shop. They are the most forgotten about accounts and they tend to have very easy passwords to guess as developers use them so frequently they do not want something complicated to type hundreds of times a day. In fact, it is best if those temporary accounts cannot be accessed from outside the company if it is at all possible.
2. How many accounts were added last week or in the last month?
Monitor the employee accounts being added and removed. Make sure each new employee has an account and each employee that has left had their accounts disabled, archived, and removed in case you need evidence as to a “bad break up” between employee and company. You may not even know it was a “bad break up” for weeks or months after the fact.
3. Do you have a specific day accounts are added or deleted?
Do you know which day accounts are added or typically deleted? Create network reports and look at all the new accounts. Were they added or deleted on a strange day or strange time? Does the user match the user that left or that just started? For this, you will have to unfortunately involve the help of other departments such as HR to make sure the accounts added actually belong to a real person, adding to their workload too. Trust us; the additional workload is worth keeping your company’s name out of the international news because of this type of breach. We’ve seen cases were users were created during the night when the business was closed. This is an immediate sign of an intruder – or your administrators are working off hours. That would be a fact you would want to investigate.
4. Are your administrators following your company policies or guidelines?
Many companies don’t have policies or guidelines that encourage close audits of network accounts. A few simple steps that will immediately show a red flag can really help protect the company. Examples could include:
Regular audits of the following:
- Number of accounts
- Number of accounts with special privileges
- Group lists (only have the users that belong)
- Compare groups of accounts, that should have similar rights
- Any account that does not follow the norm
- Any account that has creation times outside of regular business hours
- Any account that has not been used for more than X days
- Application accounts
- Password refresh that has gone unanswered
- Do the accounts have all the appropriate fields filled in to describe the user
- The accounts locked out for entering the wrong password too many times without an associated user complaint to IT
- Audit of global rules for all accounts:
- Lockouts on accounts that are not used for a certain length of time
- Passwords still meet company requirements
- Time constraints so accounts can only be used during business hours
Don’t forget the small audits can catch a big problem, that’s why they are done. Take the time and make sure you know who is on your network.