Ghost Accounts: An Open Door To Network Sabotage

It’s a scary indicator of a spiralling economy that through the first six months of this year nearly 1.1 million workers were laid off, according to the U.S Department of Labor.

Even scarier is the question of how many of those workers still have active accounts on the networks of their former employers.

So-called ghost accounts, those not closed when workers leave, can include access to mainframes, databases, file servers, intranets and e-mail. There are also remote access holes with VPN passwords and dial-in accounts. All open “back doors” into a network.

A recent series of high-profile network sabotage cases show that vengeful employees can wreak high-tech havoc.

“Disgruntled employees are a significant threat,” says Larry Rogers, senior member of the technical staff at Computer Emergency Response Team Coordination Center. Security experts recommend a combination of procedures, policies and automation to combat the threat.

“We have an application that notifies all departments when an employee leaves, puts the user’s passwords in a deny-access mode and quarantines their files,” says one network administrator for a global distribution company who requested anonymity. “Part of the process is manual, and we are evaluating ways to automate that.”

Automation is key and is being made available in a class of products known as provisioning software, which can automatically activate and deactivate user accounts.

“If you are a CIO and are currently using a manual process, fundamentally you have no way to know the process [of deprovisioning] worked. With provisioning software that is the opposite. You know that the process was completed,” says Mike Neuenschwander, an analyst with The Burton Group Corp.

Just last week Access360, Novell Inc. and Waveset Technologies Inc. announced provisioning products. Business Layers Inc. also has a product called eProvision Day One.

Access 360 released Version 4.0 of its EnRole provisioning software, which is now integrated with corporate directories to centralize user account information. Novell released its Employee Provisioning System, which is intended to create a single user identity across a corporate network. Waveset Technologies is offering for free its Inactive Account Scanner, which ferrets out dormant accounts.

However, the process must include social engineering, Rogers says. That means teaching employees not to share passwords and administrators not to reactivate closed accounts.

Rogers recalls one case where a former Coast Guard employee was able to hack into a database using a password given to her by an unsuspecting co-worker.

The result: A bill of US$40,000 and 1,800 staff hours to repair the damage.