Uncovering & Remediating Dormant Account Risk
The importance of gaining visibility into identity data
Over the last two years, the security of an organization's identity ecosystem has become paramount. Before diving into the specifics of dormant accounts, it's important to take a step back and discuss a prerequisite: gaining cross-platform visibility into identity and access management data. This visibility is the cornerstone of any robust identity security program.
You cannot protect what you can't see. Identifying what to protect is the first step in an organization’s identity security program. To achieve this, building an accurate user inventory is necessary. If you don’t trust us, the Center for Internet Security (CIS) also recommends maintaining an accurate inventory of devices and users to ensure that only authorized users have access to the system. Without an accurate user inventory, it becomes difficult to identify and mitigate security risks.
Challenges facing organizations trying to gain identity visibility
However, organizations often face several challenges when trying to gain visibility into their identity ecosystem. To start, identity providers store data in different formats with varied attributes and schemas, making it hard to map and reconcile data between systems, especially HR directories and identity providers. Additionally, data quality varies, with HR directories often having more accurate and up-to-date data compared to cloud-based identity providers. This creates inconsistencies when forming a unified view of user identities. And finally, individual users often have multiple accounts (Gmail, Yahoo, etc.) with access to company data. These accounts should be linked to a singular corporate entity.
By leveraging Cisco Identity Intelligence, organizations can easily overcome these challenges to gain powerful visibility into their identity ecosystem. One of the key functions of Cisco Identity Intelligence is creating an identity graph that is a mapping of accounts and access within an organization.
Visibility unlocks identity security posture management (ISPM)
Once an organization gains visibility, they can start getting proactive by implementing an identity security posture management (ISPM) initiative. But what exactly is ISPM?
Identity security posture management (ISPM) is the idea that an organization has a certain level of posture when it comes to the defense of the identity environment. This posture is affected by different levels of security hygiene and control in place both for individual users and for the organization more broadly. ISPM involves continuously monitoring and analyzing identities, access rights and authentication processes across your entire ecosystem to inform the current identity security posture. This gives you insights into your identity risk profile and guidance on how to remove that risk.
To get concrete, here are some examples of use cases or insights that would fall under the category of ISPM:
Uncover dormant or inactive accounts
Ensure widespread coverage and proper usage of strong MFA
Evaluate administrator accounts for risky activity
Monitor guest, contractor or service accounts for proper use
Deep dive into dealing with dormant accounts
So, what are dormant or inactive accounts? The definition can vary from organization to organization, but this usually refers to a licensed and provisioned account that has not performed any activity for an extended period of time.
Why are dormant accounts a risk?
Dormant accounts pose a significant security risk. The Cybersecurity and Infrastructure Security Agency (CISA) recently highlighted that attackers are now targeting these accounts as an initial entry point into organizational environments. According to a CISA report: "Attackers have also targeted dormant accounts belonging to users who no longer work at a victim organization but whose accounts remain on the system."
The report also highlights that attackers can time their activities to align with a breach or incident at the company. For example, it is often the case that during an incident, employees across an organization are forced to do a password reset. CISA noted that attackers have “also been observed logging into inactive accounts and following instructions to reset the password. This has allowed the actor to regain access following incident response eviction activities."
In either case, dormant accounts are providing a viable entry point for attackers looking to gain access into company environments.
How Cisco Identity Intelligence helps identify dormant accounts
After ingesting data from identity data sources, Cisco Identity Intelligence analyzes the data and offers a variety of checks that highlight potentially inactive or dormant account risks. These checks can be used individually or in combination to zero in on dormant accounts and abnormal activity associated with dormant accounts. To illustrate the how Cisco Identity Intelligence does this, here are some of the checks that run inside the tool:
Inactive Users: Detects users who are enabled (Active status) and who have not successfully authenticated for more than 30 days.
Inactive Account Probing: Detects users with a sudden spike in failed login attempts after a long period of inactivity, which may be an account takeover attempt.
Never Logged In: Detects accounts that were created but never successfully logged in. These accounts appeal to attackers, as they may be able to register their own MFA factors.
Access from Dormant Account: Adversaries often target dormant accounts that belong to users who no longer work at a victim organization, but whose accounts still have access to the system.
Unused Application for a User: Detects applications unused by a user. Users will fail this check if they have not used an application within 30 days.
Once the dormant accounts have been identified, it’s straightforward to limit or cut off access where necessary.
What is the benefit of remediating dormant or inactive accounts?
Security Benefit: By leaving standing entitlements in place that are not needed or not used on a regular basis, attackers may be able to use a dormant account to gain access to sensitive systems and data. By removing these entry points, the attack surface is made smaller and harder for attackers to penetrate.
Economic Benefit: Dormant accounts may consume license costs without using them. By remediating dormant accounts, the organization can save money on these unused licenses by removing them.
Interested in learning more?
By addressing the risk of dormant accounts, organizations can significantly enhance their security posture and reduce unnecessary costs. With Cisco Identity Intelligence, gaining visibility and managing identity security has never been easier.
Be sure to download our free ebook — Building an Identity Security Program — to learn more about building and maintaining an identity security program that actually works.
To learn more about how Duo can help you on your ISPM journey, check out our Duo and Cisco Identity Intelligence page. Or, start a free trial of Duo to try out this functionality for yourself.