<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

🧟 Rise of the Zombie Accounts: 8 Tips to Protect Your Assets

Zombie accounts: forgotten accounts that open the door to bad actors looking to insert malware, steal data, and damage your internal systems. 

Even though you may already use Privileged Access Management (PAM) to safeguard your most sensitive accounts, the credential management techniques below will expand on PAM to help you detect zombie credentials--and prevent them from wreaking havoc in your organization.

Credential Management and Zombie Accounts

Not all credentials are zombies. As you know, credentials are simply the evidence used to authenticate a user’s right to access a system—a “who’s calling and a way to prove it.” They commonly take the form of a username and password but may also include tokens, certificates, and API keys, particularly for computer-to-computer interaction.

Problems arise, however, when accounts stagnate or go unused, and the associated credentials remain active. When these accounts exist within an organization, the risk is especially great as they create an appealing entry point for hackers. Disgruntled former employees may also use them to damage internal systems, steal data, and generally cause harm. Leaving such accounts open, particularly when they are protected with reused, shared, or compromised passwords, increases your threat surface and leaves your network vulnerable to breaches.

Credential security consists of the strategies, policies, and technologies an organization uses to safeguard user access against both user error and ever-evolving cyber threats. It includes a set of best practices surrounding password and secret hygiene, with the effective use of tools and employee education, as well as active tactics for monitoring and defending the credentials associated with both human and machine accounts.

The Zombie Invasion | Types of Abandoned Accounts

Accounts go unmanaged for many reasons. Technical staff may over-provision users to ease workflow. Admins may grant temporary user access to interns or contractors, or for time-limited projects, and then forget to roll it back.

Though they may seem harmless, these old accounts are a serious threat vector. When taken over by rogue actors, these zombies, also called ghost- or orphaned accounts, have the power to add or delete users, access critical data, and create chaos on your network.

Here are some common zombie accounts you may encounter:

Ghosts of Employees Past

Zombie accounts often result when human users who are authenticated through username/password or SSO leave your company or change roles. This is a particular challenge for organizations with frequent turnover, including those with seasonal employees and interns. Old credentials, when left unmanaged, are a prime target for attackers.

Old Privileged Accounts

When these former employees are technical staff or privileged business users, the threat is even greater. Additionally, highly privileged zombie accounts may result from privilege creep, when employees gradually accumulate rights beyond what is required. Such users may connect to an unmanaged account and perform unauthorized tasks. Privileged zombie accounts, especially among bad actors with insider know-how, can cause severe damage.

Machine Zombies

According to Gartner Top Security and Risk Trends for 2021, “establishing an enterprise-wide strategy for managing machine identities, certificates and secrets” is a notable challenge in modern computing. Machine zombies result when bad actors take control of the application and service accounts that exist by default in many systems. These accounts allow machines to access databases, run scripts, and make changes to other applications and can do real harm when misused.

Orphaned Zombies

While the term “orphaned account” can describe any type of inactive account, it often applies to two special cases. As with all inactive accounts, these can become a threat when overtaken by malicious users. These include orphaned network accounts, for example, Active Directory accounts tied to former or inactive employees. Additionally, orphaned database users and orphaned SQL accounts may arise when a database is restored from backup on one server onto another. Orphaned users then remain available in the database, but their mapped logins do not exist on the server.

However you label these accounts, malicious users may seize them and hide in your network for corrupt purposes. Poor credential management opens the door to criminals hoping to take over your system. So, what can you do?

Danse Macabre | Finding Zombies, Ghosts, and Orphaned Users

In an ideal world, the bad guys would all stay out of your network. Sadly, denial is not an effective strategy against cyberthreats. Even organizations with thoughtful security procedures require monitoring to guard against human error.

Consider this scenario: Julia in HR has re-used the password from her Piggly Wiggly rewards membership to connect to a user database. The password was easy to remember. It was also easy to crack. Now a criminal has a side door into your network. He sidles through and discovers...

  1. A glimmering treasure trove of sensitive assets. 
  2. A dark hallway full of locked doors.

Which would you prefer?

Effective access management systems keep watch over your network. They log every database query, every SSH command, and every access attempt and alert you if something unusual occurs.

With continuous monitoring and observability, you can see into your systems and respond quickly to threats and unusual activity. This enables you to discover and terminate zombie accounts before they do harm. Additionally, should a breach occur, activity logs and on-call management services help you find the problem and stop it before it expands.

Credential Storage & De-provisioning Accounts

As we’ve seen, the two greatest sources of zombie threats are weak passwords and inadequate de-provisioning.

Utilize password managers, secret managers, and other credential management systems to help secure your assets. A credential management system is any software tool that issues and manages passwords as part of a public key infrastructure (PKI) to help determine the identity of humans, devices, and services. 

These systems are built to protect your accounts with features such as multi-factor authentication and encrypted credential storage to help you protect your passwords, API keys, tokens, and other secrets. 

Provisioning is the practice of making technical systems available to users. These systems include networks, servers, applications, and digital identities. De-provisioning is simply the reversal of that process, and it is a critical step in keeping hackers out and reckless or resentful employees at bay. Smart tools will help you de-provision accounts automatically. Find an access management solution that extends your SSO to manage infrastructure, then revoke access every time an employee leaves or changes roles.

Credential Management Best Practices

“So devs--typically they'll pick really bad passwords, they'll sometimes share passwords, right on Slack.”

Cat Cai, Director of Platform Engineering at Fair

Timely de-provisioning is essential but insufficient. Attackers who gain control of sensitive credentials can generate zombie accounts and grant themselves insider privileges they can use to compromise your systems.

Solid access control policies are the best way to prevent and eliminate unmanaged accounts, but both technical and business users should play a role in keeping your organization safe. Extend credential security best practices throughout your teams to guard against zombie accounts and protect your intellectual property. 

Use these habits and practices to build a mindset of security throughout your organization.

  1. Encourage users to generate long, complex, and unique passwords, and rotate them regularly. Empower employees to avoid phishing schemes, and discourage easy-to-guess, shared, or recycled passwords.
  2. Use multi-factor authentication (MFA), also called two-factor authentication (2FA), as an added layer of protection against weak or reused passwords.
  3. When appropriate, configure temporary security credentials and set them to expire automatically. This eliminates the need for keeping track of time-limited access.
  4. Enlist secret managers to store, rotate, and manage your most sensitive credentials,  including passwords, certificates, keys, APIs, and tokens.
  5. Utilize third-party identity providers (IdPs) to manage identity information and provide authentication services, and consolidate multiple identities under a single sign-on.
  6. Log, audit, and track all privileged sessions using real-time monitoring and playback.
  7. Perform regular security audits of third-party vendors.
  8. Follow consistent onboarding and offboarding procedures with the help of automation.

Conclusion | StrongDM and the Zombie Apocalypse

Unmanaged accounts and credentials are prime targets for bad actors who want to gain access to your network.

To prevent and defend against zombie attacks, you need good access management throughout the lifecycle of your systems. StrongDM protects your network with:

  • Identity provider authentication.
  • Native secret-management integration.
  • Continuous monitoring.
  • Instant offboarding.

This multi-pronged approach is the most effective way to end a zombie attack. 

Try StrongDM free for 14 days and stop the zombies (braaaaaains!) before they stop you.

To learn more on how StrongDM helps companies with preventing credential sprawl, make sure to check out our Preventing Credential Sprawl Use Case.

About the Author

, Contributing Writer and Illustrator, has a passion for helping people bring their ideas to life through web and book illustration, writing, and animation. In recent years, her work has focused on researching the context and differentiation of technical products and relaying that understanding through appealing and vibrant language and images. She holds a B.A. in Philosophy from the University of California, Berkeley. To contact Maile, visit her on LinkedIn.

💙 this post?
Then get all that strongDM goodness, right in your inbox.

You May Also Like

Machine Identity Management Explained
Machine Identity Management Explained in Plain English
In this article, we'll cover machine identities and address the importance and challenges in machine identity management. You'll gain a complete understanding of how machine identity management works and see the concept in action through real-world examples. By the end of this article, you'll be able to answer in-depth: what is machine identity management?
Spring Clean Your Access Management | strongDM
Spring Clean Your Access Management
Time to spring clean your access management! Use these resources to establish healthy habits to keep your infrastructure access tidy all year long.
Agent vs. Agent-less Architecture
Agent vs. Agentless Architectures in Access Management
Agent vs. Agentless architectures is a recurring debate - covering specifics from monitoring to security. But when it comes to Access Management, some key considerations are necessary when defining the scalability of your solution and its impact on efficiency and overhead over time.
PAM inside of a Pac-man styled interface with the caption
Time for PAM to Go Wham!
Privileged Access Management doesn’t solve the whole access challenge. It’s time for PAM to evolve to support complex environments and put people first.
Day Two Cloud 134: Simplifying Infrastructure Access With StrongDM
Day Two Cloud 134: Simplifying Infrastructure Access With StrongDM
StrongDM takes a proxy approach to the challenge of access and authentication. It uses a local client that can run on a Mac, Windows, or Linux device; a gateway to mediate access; and an administration layer for setting policies and permissions and auditing access.