If you’re a geek like me, you remember the above line from Star Wars Episode VI: Return of the Jedi where a strike team posing as an engineering crew gives a stolen (dormant) authorization code as they attempt to pass through a security checkpoint.
The successful use of that dormant code allowed the rebels to take down the force field, fly inside the superstructure, knock out its main reactor, and destroy the Death Star. Dormant accounts are those virtual identities that lie idle, untouched, and unused for an extended period of time. They can range from email accounts and social media profiles to online banking portals and business platforms. Oftentimes, users create these accounts for temporary purposes or simply forget about them, leaving them susceptible to unauthorized access, data breaches, and potential misuse.
While the initial creation of dormant accounts might serve legitimate intentions, their abandonment can lead to unintended consequences. Cybercriminals often target such accounts, taking advantage of the prolonged inactivity and potential security vulnerabilities to gain unauthorized access, propagate spam, or even launch sophisticated cyberattacks. Organizations can also suffer from potential reputational damage if these dormant accounts are manipulated to distribute false information or engage in malicious activities.
If dormant accounts remain active, they could pose a significant risk in the event of a future data breach. These are typically accounts that once belonged to former employees or were set up for temporary projects. They may not have recent activity, but they often retain their access permissions, making them potential targets for misuse. To mitigate this, consider setting automatic expiration dates for accounts, provided the system allows for such configurations.
Strategies for Managing Dormant Accounts
- Routine Checks: Periodically scan for accounts untouched for set intervals, such as 30, 60, or 90 days.
- Leverage Automation: Deploy system tools or specialized software to spot and highlight inactive accounts based on set criteria.
- Integrate with HR Protocols: Align with HR processes to modify or deactivate accounts of employees who exit or transition to different roles.
- Implement Expiration Protocols: For accounts of a temporary nature, like those of freelancers or specific projects, designate a predetermined expiry date upon creation.
- Maintain Detailed Records: Uphold comprehensive records of all account-related actions, particularly when deactivating or removing accounts. This ensures traceability and responsibility.
- Periodic Access Reviews: Actively monitor and recalibrate access permissions for all accounts, adhering to the principle of granting the minimum required access.
Proactively addressing dormant accounts isn't just about organization; it's a cornerstone of effective cybersecurity.
Here’s a link to an Account and Credential Management Policy Template provided free of charge from the fine folks at the Center for Internet Security: https://www.cisecurity.org/insights/white-papers/account-and-credential-management-policy-template-for-cis-controls-5-and-6
Here’s some details on this specific Control/Safeguard. If you want more detail, DM me.
CIS Control 5 – Account Management
Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.
Implementation Group 1
CIS Safeguard 5.3 - Disable Dormant Accounts
Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.