Ghost accounts: An open door to network sabotage

It's a scary indicator of a spiraling economy that through the first six months of this year nearly 1.1 million workers were laid off, according to the U.S Department of Labor.

Even scarier is the question of how many of those workers still have active accounts on the networks of their former employers.

So-called ghost accounts, those not closed when workers leave, can include access to mainframes, databases, file servers, intranets and e-mail. There are also remote access holes with VPN passwords and dial-in accounts. All open "back doors" into a network.

A recent series of high-profile network sabotage cases show that vengeful employees can wreak high-tech havoc.

"Disgruntled employees are a significant threat," says Larry Rogers, senior member of the technical staff at Computer Emergency Response Team Coordination Center. Security experts recommend a combination of procedures, policies and automation to combat the threat.

"We have an application that notifies all departments when an employee leaves, puts the user's passwords in a deny-access mode and quarantines their files," says one network administrator for a global distribution company who requested anonymity. "Part of the process is manual, and we are evaluating ways to automate that."

Automation is key and is being made available in a class of products known as provisioning software, which can automatically activate and deactivate user accounts.

"If you are a CIO and are currently using a manual process, fundamentally you have no way to know the process [of deprovisioning] worked. With provisioning software that is the opposite. You know that the process was completed," says Mike Neuenschwander, an analyst with The Burton Group.

Just last week Access360, Novell and Waveset Technologies announced provisioning products. Business Layers also has a product called eProvision Day One.

Access 360 released Version 4.0 of its EnRole provisioning software, which is now integrated with corporate directories to centralize user account information. Novell released its Employee Provisioning System, which is intended to create a single user identity across a corporate network. Waveset Technologies is offering for free its Inactive Account Scanner, which ferrets out dormant accounts.

However, the process must include social engineering, Rogers says. That means teaching employees not to share passwords and administrators not to reactivate closed accounts.

Rogers recalls one case where a former Coast Guard employee was able to hack into a database using a password given to her by an unsuspecting co-worker.

The result: A bill of $40,000 and 1,800 staff hours to repair the damage.

Contact Senior Editor John Fontana

Other recent articles by Fontana

Internal net saboteurs being brought to justice
Network World, 08/27/01.