Zombie accounts: forgotten accounts that open the door to bad actors looking to insert malware, steal data, and damage your internal systems.
Even though you may already use Privileged Access Management (PAM) to safeguard your most sensitive accounts, the credential management techniques below will expand on PAM to help you detect zombie credentials--and prevent them from wreaking havoc in your organization.
Credential Management and Zombie Accounts
Not all credentials are zombies. As you know, credentials are simply the evidence used to authenticate a user’s right to access a system—a “who’s calling and a way to prove it.” They commonly take the form of a username and password but may also include tokens, certificates, and API keys, particularly for computer-to-computer interaction.
Problems arise, however, when accounts stagnate or go unused, and the associated credentials remain active. When these accounts exist within an organization, the risk is especially great as they create an appealing entry point for hackers. Disgruntled former employees may also use them to damage internal systems, steal data, and generally cause harm. Leaving such accounts open, particularly when they are protected with reused, shared, or compromised passwords, increases your threat surface and leaves your network vulnerable to breaches.
Credential security consists of the strategies, policies, and technologies an organization uses to safeguard user access against both user error and ever-evolving cyber threats. It includes a set of best practices surrounding password and secret hygiene, with the effective use of tools and employee education, as well as active tactics for monitoring and defending the credentials associated with both human and machine accounts.
The Zombie Invasion | Types of Abandoned Accounts
Accounts go unmanaged for many reasons. Technical staff may over-provision users to ease workflow. Admins may grant temporary user access to interns or contractors, or for time-limited projects, and then forget to roll it back.
Though they may seem harmless, these old accounts are a serious threat vector. When taken over by rogue actors, these zombies, also called ghost- or orphaned accounts, have the power to add or delete users, access critical data, and create chaos on your network.
Here are some common zombie accounts you may encounter:
Ghosts of Employees Past
Zombie accounts often result when human users who are authenticated through username/password or SSO leave your company or change roles. This is a particular challenge for organizations with frequent turnover, including those with seasonal employees and interns. Old credentials, when left unmanaged, are a prime target for attackers.
Old Privileged Accounts
When these former employees are technical staff or privileged business users, the threat is even greater. Additionally, highly privileged zombie accounts may result from privilege creep, when employees gradually accumulate rights beyond what is required. Such users may connect to an unmanaged account and perform unauthorized tasks. Privileged zombie accounts, especially among bad actors with insider know-how, can cause severe damage.
According to Gartner Top Security and Risk Trends for 2021, “establishing an enterprise-wide strategy for managing machine identities, certificates and secrets” is a notable challenge in modern computing. Machine zombies result when bad actors take control of the application and service accounts that exist by default in many systems. These accounts allow machines to access databases, run scripts, and make changes to other applications and can do real harm when misused.
While the term “orphaned account” can describe any type of inactive account, it often applies to two special cases. As with all inactive accounts, these can become a threat when overtaken by malicious users. These include orphaned network accounts, for example, Active Directory accounts tied to former or inactive employees. Additionally, orphaned database users and orphaned SQL accounts may arise when a database is restored from backup on one server onto another. Orphaned users then remain available in the database, but their mapped logins do not exist on the server.
However you label these accounts, malicious users may seize them and hide in your network for corrupt purposes. Poor credential management opens the door to criminals hoping to take over your system. So, what can you do?
Danse Macabre | Finding Zombies, Ghosts, and Orphaned Users
In an ideal world, the bad guys would all stay out of your network. Sadly, denial is not an effective strategy against cyberthreats. Even organizations with thoughtful security procedures require monitoring to guard against human error.
Consider this scenario: Julia in HR has re-used the password from her Piggly Wiggly rewards membership to connect to a user database. The password was easy to remember. It was also easy to crack. Now a criminal has a side door into your network. He sidles through and discovers...
- A glimmering treasure trove of sensitive assets.
- A dark hallway full of locked doors.
Which would you prefer?
Effective access management systems keep watch over your network. They log every database query, every SSH command, and every access attempt and alert you if something unusual occurs.
With continuous monitoring and observability, you can see into your systems and respond quickly to threats and unusual activity. This enables you to discover and terminate zombie accounts before they do harm. Additionally, should a breach occur, activity logs and on-call management services help you find the problem and stop it before it expands.
Credential Storage & De-provisioning Accounts
As we’ve seen, the two greatest sources of zombie threats are weak passwords and inadequate de-provisioning.
Utilize password managers, secret managers, and other credential management systems to help secure your assets. A credential management system is any software tool that issues and manages passwords as part of a public key infrastructure (PKI) to help determine the identity of humans, devices, and services.
These systems are built to protect your accounts with features such as multi-factor authentication and encrypted credential storage to help you protect your passwords, API keys, tokens, and other secrets.
Provisioning is the practice of making technical systems available to users. These systems include networks, servers, applications, and digital identities. De-provisioning is simply the reversal of that process, and it is a critical step in keeping hackers out and reckless or resentful employees at bay. Smart tools will help you de-provision accounts automatically. Find an access management solution that extends your SSO to manage infrastructure, then revoke access every time an employee leaves or changes roles.
Credential Management Best Practices
“So devs--typically they'll pick really bad passwords, they'll sometimes share passwords, right on Slack.”
— Cat Cai, Director of Platform Engineering at Fair
Timely de-provisioning is essential but insufficient. Attackers who gain control of sensitive credentials can generate zombie accounts and grant themselves insider privileges they can use to compromise your systems.
Solid access control policies are the best way to prevent and eliminate unmanaged accounts, but both technical and business users should play a role in keeping your organization safe. Extend credential security best practices throughout your teams to guard against zombie accounts and protect your intellectual property.
Use these habits and practices to build a mindset of security throughout your organization.
- Encourage users to generate long, complex, and unique passwords, and rotate them regularly. Empower employees to avoid phishing schemes, and discourage easy-to-guess, shared, or recycled passwords.
- Use multi-factor authentication (MFA), also called two-factor authentication (2FA), as an added layer of protection against weak or reused passwords.
- When appropriate, configure temporary security credentials and set them to expire automatically. This eliminates the need for keeping track of time-limited access.
- Enlist secret managers to store, rotate, and manage your most sensitive credentials, including passwords, certificates, keys, APIs, and tokens.
- Utilize third-party identity providers (IdPs) to manage identity information and provide authentication services, and consolidate multiple identities under a single sign-on.
- Log, audit, and track all privileged sessions using real-time monitoring and playback.
- Perform regular security audits of third-party vendors.
- Follow consistent onboarding and offboarding procedures with the help of automation.
Conclusion | strongDM and the Zombie Apocalypse
Unmanaged accounts and credentials are prime targets for bad actors who want to gain access to your network.
To prevent and defend against zombie attacks, you need good access management throughout the lifecycle of your systems. strongDM protects your network with:
- Identity provider authentication.
- Native secret-management integration.
- Continuous monitoring.
- Instant offboarding.
This multi-pronged approach is the most effective way to end a zombie attack.
Try strongDM free for 14 days and stop the zombies (braaaaaains!) before they stop you.