One-Third of Internal User Accounts Are 'Ghost Users'

Meager access controls on folders and file systems are leaving organizations wide open to the lateral movement of attackers and malware, according to a new report.

Security firm Varonis analyzed data risk assessments performed by its engineers on 130 companies and 5.5 petabyes of data through 2017. What concerns Varonis technical evangelist Brian Vecci most is that companies left 21% of all their folders open to everyone in the company.

"That's absurd," he says, noting that this openness enables attackers and malware to penetrate one user and spread laterally throughout a network. "In a world where businesses are being taken down by ransomware, how could you possibly let a fifth of your file system be taken down by any one user making a mistake?"

Sensitive folders and files are among the overexposed. Thirty percent of companies leave more than 1,000 sensitive folders accessible to all employees, and 41% have more than 1,000 sensitive files accessible to all employees, according to the report. 

Adding to the risk of attackers' lateral movement is the prevalence of user accounts that are "stale" - inactive, out of use - but still enabled. The Varonis assessments found that 34% of all users fall into this "ghost user" category; almost half (46%) of companies have over 1,000 ghost user accounts. 

Not only are users inactive, but the data is as well - more than half (54%) of companies' data is stale, according to the report. Not only could this be a needless storage expense, but it puts organizations at higher risk of breaches and regulatory compliance violations.

"You ask anyone if they have data retention and destruction policies, everyone raises their hands," says Vecci, "but if you ask 'do you apply these policies to your file systems,' the answer is almost always no." 

His advice is to scan for sensitive data, map all access controls, and turn on monitoring. "In other words, know what you've got," says Vecci. "If you just do these three things, companies would be so much further than they are right now. And it doesn't need to be a big project."

Related Content:

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.