News

IT Underestimates Risk from 'Zombie Accounts'

• By Jim Powell
• 06/16/2009

A recent survey from Courion Corp. reveals that a vast majority (93 percent) of organizations "are confident that terminated employees pose no security risk to their systems by virtue of legacy access." Unfortunately, the report notes, many of these same organizations have limited or no knowledge of the systems to which their active and terminated employees actually have access.

Such unjustified confidence in system security "leaves companies vulnerable to attacks such as the recent 'zombie account' breach at the California Water Service Company (CWSC), in which an ex-employee returned to his office after-hours and successfully transferred $9 million to offshore bank accounts in Qatar, using his old password to access privileged accounts."

Courion, a provider of solutions to solve an enterprise's identity and access management (password management, provisioning and role management), risk and compliance challenges, said its survey, conducted last month, asked 236 business managers around the world about their practices. Half of the companies had at least 10,000 employees.

According to Courion, "These figures suggest that IT administrators may be overconfident in their ability to prevent data breach threats from zombie accounts, which can cost organizations millions of dollars in damages and tarnish brand reputation. Courion recommends careful inspection of Access Assurance policies to ensure that the right users have the right access to the right resources and are doing the right things."

In the survey, Courion asked respondents if their top security concern came from external or internal threats. Less than half (46 percent) chose "internal," which may explain why over half (53 percent) of IT managers are unaware of their employees' system access rights, which Courion says causes a proliferation of zombie accounts (accounts that remain active after employees leave a company). These administrators also are confident that such zombie accounts can't trigger a malicious attack or perpetrate a data leak. Courion points out that the CWSC incident is just one example of behavior that isn't registering with these security professionals.

Companies aren't necessarily quick to turn off access from employees who leave the enterprise. Although more than a quarter (26.8 percent) notify IT to de-provision a terminated employee from all systems and applications, almost half (48 percent) of organizations take a day or more to do so; 4.5 percent can take more than a week before such notification is made. Once notified, over one-third (34.8 percent) of enterprises revoke access with an hour, but nearly a quarter (22.8 percent) can take more than a day (and for some, more than a month).

Worse, almost one out of every 10 companies (9 percent) report that they "could never be completely certain" that access to IT systems for terminated employees was removed.

The survey also found that nearly one in every three companies responding to the survey (30 percent) manually provisions user accounts. Courion believes this "increases the likelihood of human error or delays when de-provisioning departing employees -- and ultimately the risk of data theft via zombie accounts."

Kurt Johnson, vice president of corporate development at Courion, added, "This data and recent examples such as CWSC are further evidence of the need for diligence in terminating user access as soon as an employee leaves the company -- even a short time gap leaves companies vulnerable to inappropriate access. Organizations can greatly improve their risk posture by implementing automated Access Assurance policies that reduce or remove the risk of human error and ensure users are de-provisioned as soon as an employee departs."