Bring Out Your Dead (User Accounts)
Riverbank Ruminations; Observations from The Banks of The Technology River
Tom Evans ~ Ashton Engineer Emeritus
Not Dead But Should Be
The Dead Collector: “Bring out yer dead.”
Large Man with Dead Body: “Here’s one.”
The Dead Collector: “That’ll be ninepence.”
The Dead Body That Claims It Isn’t: “I’m not dead.”
The Dead Collector: “What?”
Large Man with Dead Body: “Nothing. There’s your ninepence.”
The Dead Body That Claims It Isn’t: “I’m not dead.”
The Dead Collector: “‘Ere, he says he’s not dead.”
Large Man with Dead Body: “Yes he is.”
The Dead Body That Claims It Isn’t: “I’m not.”
The Dead Collector: “He isn’t.”
Large Man with Dead Body: “Well, he will be soon, he’s very ill.”
The Dead Body That Claims It Isn’t: “I’m getting better.”
Monty Python and the Holy Grail
Proper Data Backups and Security Patching Are a Must
There is a seemingly endless list of security issues that need to be addressed on a day-to-day basis. Some are fundamental like making sure you have a good backup; your backups have been regularly tested; you have copies of your backups securely offsite. Some are a little more technical, like patching vulnerabilities or determining if the latest vulnerabilities affect you. Just like protecting your home, some are really simple but also really tedious. Did you lock the door when you left? Did you turn off the stove? At work, did you delete the accounts of the employees who are no longer there? If the ex-employees had any kind of admin access, have those passwords been changed? Has that employee’s remote access been blocked?
Network House Keeping
Housekeeping is not exciting but it is a very necessary facet of security. If you think you can let housekeeping go, just watch an episode of Hoarders. It is mind-boggling to see just what kind of conditions people will come to find acceptable over time. Granted, many of these people are diagnosed with some sort of problem like a variation of OCD or some other compulsion, but it is doubtful any of them just decided one day to start collecting things and never throw another thing away. The end result is a house, or several, stuffed with junk.
Is your network like that? Do you have old machines on the network that no one uses or knows why they are there? How about your user directory? Are there accounts that haven’t been accessed in years because the employee retired 10 years ago? What is a possible consequence of poor housekeeping?
I came across an interesting website called Darknet Diaries (https://darknetdiaries.com/ ). Subtitled “True stories from the dark side of the internet” it is a podcast (with full transcriptions) about the dark web and related activities. Episode 113, titled “Adam”, relates the experiences of a fellow who rose gradually up the IT ladder based on a desire to learn. He had gotten into some trouble with the law when he was younger and thus had a record. He eventually applied for a job that required a background check. He told them about his past, was told it would be no problem, and was allowed to start working before the check was completed.
Over the course of his first week, he noticed that the password policy was very poor. Passwords were assigned following a pattern that allowed him to successfully guess the network admin password. He increased his IT skills and then the background report comes back. The employer decides they can’t keep him with his record and he is fired. He is angry. He gets work elsewhere and continues to add to his skill set. Four years later he decides to see if the credentials he remembers still work at his previous (albeit it short-term) employer. They do. He is able to get into the network, just to look. He then changes the password for a superuser so he can do some more snooping. He moves around the network and does a few other things. It dawns on him that he has done nothing to cover his tracks so he decides to destroy anything that might have a record of his actions. He remotely wipes hundreds of phones, destroys servers, and backups, and causes tremendous damage to the network. Eventually, he’s discovered and arrested.
Clean Up Your Active Directory
If you listen to the podcast (or read the transcript), the details reveal a significant list of bad practices in the management of the network. However, the most devastating oversight was not cleaning up after a departed user. Poor password practice made the admin password easy to guess. An IT user departing on unfriendly terms should flag a change of admin passwords, even if the user himself wasn’t an admin. Any accounts that this fired tech had access to should have had passwords changed. The employer was able to find the perpetrator but that did not help with the damage he was able to cause.
Network housekeeping is a vital part of security. Departing users’ accounts need to be deleted or at the very least have passwords changed (assuming that these accounts still need to be active and accessible). Departing IT employees should trigger admin password changes, VPN/RDP connection reviews, and an overall assessment of what access they had. Forgotten accounts and missed hardware open holes in even the best defenses. This is something that needs to be done regularly, just like cleaning a house. It is easier to do a little on a regular basis, rather than a huge cleaning effort infrequently. Good security is a process and housekeeping needs to be part of that process. Bring out your dead accounts and get rid of them, before they cause you a problem.
If your network looks like an episode of Hoarders and you just don’t know where to start, give the Ashton team a call at 216 397-4080.