A recent report by Varonis Systems caught our attention because it illustrates how easily some basic security practices can be overlooked in the crush of day-to-day work.
Varonis released an analysis of more than 235 million folders it examined on file servers at 80 client sites. It found that more than 48 million of them – that’s 20% – were open to “global access groups,” meaning that, in effect, anyone in the organization could read them.
The report also said that the typical company has hundreds of openly accessible files that contain sensitive information.
But what really caught our eye was the data about user accounts and passwords. The audit found 448,000 accounts that were unused but still enabled, an average of 5,500 accounts per site. Typically, these accounts are set up for short-term use or belonged to people who have left the company but who still have active logins. The auditors also found half a million user accounts that had non-expiring passwords, meaning that attackers would have unlimited time to crack them and indefinite access thereafter.
Neither of these findings is surprising; busy administrators can easily overlook details like cleaning out old accounts or plan to get them later and never follow through. Some people also request exemption from the password expiration policy for the sake of convenience. If their title has a “VP” in it, that request is likely to be granted.
But both of these oversights are recipes for disaster. Take unused accounts. It isn’t hard for an attacker to guess which accounts may be dormant at any given company. Simply search LinkedIn for people who recently changed companies, then try common variants of their login names: firstname.lastname@example.org, email@example.com, etc. Searching on those email addresses may also turn up a hit.
An attacker can then try to log in using commonly used passwords. Given that 17 percent of people use the password “123456”, it won’t be long before one of those guesses yields a hit. Once inside, the crook has access to anything that user could see which, according to this report at least, is probably a lot.
Non-expiring passwords are just a bad practice. About the only time they make sense is when the account has no privileges, such as a Wi-Fi login at a hotel. Otherwise, users should be limited to no more than five login attempts before they’re locked out and have to call an administrator. The argument against password expiration is that the policy encourages people to write down their passwords, which increases the possibility of theft. Our advice is simple: use a password manager.