Automation Lessens Zombie Account Risks

When administrations change, high turnover compounds ongoing cybersecurity risks. IT teams turn to automation to help.

LISTEN

Your browser doesn’t support HTML5 audio

The remnants of a stint in the federal workforce can include agency-logo coffee mugs and pictures with elected or appointed bosses, but still-active IT accounts should not be among the occupational leftovers.

While so-called “zombie accounts” that can be revived by an attacker always represent a problem, the typically large volume of resignations handled at the end of a presidential term magnify the risks.

“Plenty of things can happen from that kind of entry point,” says Christian Sorensen, a cyber risk expert who served stints in the U.S. Air Force, the National Security Agency and the Defense Department’s Cyber Command. “They can try to get to other systems and other levels of authority.”

February report from the Cybersecurity and Infrastructure Security Agency outlines one such attack on an unspecified state government organization’s network. The attackers first took over a former employee’s account — probably helped by the fact that the user’s credentials were previously leaked and published online, and the user also was not secured through multifactor authentication.

Click the banner to read CDW’s white paper on enhancing zero trust for your agency.

 

Despite years of directives to implement MFA, its absence remains a widespread problem called out in a dismal January 2023 assessment from the Interior Department’s inspector general and in other reports. 

The attackers leveraged their access to obtain administrator credentials stored locally, collect documents and post them on a dark-web brokerage. Only then did the government organization discover the hack.

“That’s the problem with a zombie account: No one knows something bad is happening,” explains Jeff Reich, executive director of the Identity Defined Security Alliance.

Finish Orderly by Starting with Orderly Identity Management

Bring a checklist mindset to offboarding employees, who in turn must start with orderly identity management when hired.

Source: Ponemon Institute, 2022 Cost of Insider Threats Global Report, April 2022

Document and follow a detailed process to create as well as shut down accounts, and take regular inventories of accounts and credentials on at least a quarterly basis. Be sure to include clean-slate resets of credentials during job changes, Reich recommends.

Treat every job change as a departure and new hire, even if an employee is just moving up the ranks. Nothing should be treated as an accumulation.

Keep IT and HR systems in sync. Automation plays a particularly valuable role here: Automate connectivity between HR tools and account provisioning tools, which requires more than simply checking lines on a spreadsheet. Connectivity should include flagging employee exits initiated for nonperformance or other cause; such departures bring higher odds of agencies missing a step due to their unexpected nature. Disable those accounts as soon as possible.

How to Automate Offboarding

An enterprise automation platform helps teams establish and listen to connected applications for events or triggers. To automate offboarding, teams can specify the triggers or workflows they wish to automate, such as syncing HR-specific applications in the previous example. Offboarding processes that teams typically automate include deprovisioning, or removing access to applications, platforms and hardware or other equipment; and alert routing, which notifies stakeholders whenever concerning behaviors take place.

DISCOVER: Automation is helping agencies cut costs.

After identifying and prioritizing the workflows or events to be automated, use the automation platform to connect all relevant applications and tools, then build out triggers and corresponding sets of actions. When an employee is marked for offboarding in an HR tool, a workflow can be triggered, and the IT ticketing application can create and assign all tickets related to offboarding duties. Secure access tools can be triggered to shut off laptop access based on an employee’s date of departure.

A Good Offboarding Checklist Adheres to Zero Trust

The zero-trust to-do list issued by the Office of Management and Budget under President Biden includes additional guidance for offboarding: “Agencies must employ centralized identity management systems for agency users that can be integrated into applications and common platforms,” per January 2022 guidance from then-acting Director Shalanda Young.

Other automation opportunities include routine scans for accounts without recent logins. Doing so won’t stop takeover attempts immediately following an employee’s departure, but at least it prevents unused accounts from piling up. 

A departure checklist should also include hardware collection, starting with an employee’s Common Access Card. Back up employee data as required by retention policies before wiping it from all devices, and close out software licenses as necessary to avoid so-called shelfware problems, or wasted funds for licenses and product seats that go unused.

EXPLORE: Agencies must tackle cybersecurity concerns en route to the cloud.

Study the National Institute of Standards and Technology’s Special Publication 800-53, “Security and Privacy Controls for Information Systems and Organizations” (last revised in late 2020), for specific guidance on what must be collected, wiped and shut off. Add each of those details to the offboarding checklist, and update this list as new software or tools are issued to employees or specific teams.  

Remember that cloud storage can simplify some of the hassle of such management, while employees taking documents to work from home on personal devices will complicate it greatly.

Do This Every Four Years

The massive turnover at the end of a presidential term, even if there’s no change of administration, makes having a current inventory of accounts that much more important. 

The Executive Office of the President sees enough staff changes that management must stagger their departures, typically phasing them out about two weeks before inauguration. Records management proves trickier at the EOP, because some employees there work under the Presidential Records Act while others operate under the Federal Records Act

LEARN MORE: This is how agencies should digitize their records.

Although the scale of staff exits varies within other federal agencies, setting aside the work or responsibility of disabling the departing staffers’ accounts can happen all too easily as IT teams focus exclusively on processing all of the new people coming in.

Assign one or two team members to focus solely on monitoring offboarding processes, deadlines and benchmarks, and ensuring accounts are in fact disabled.  Such assignments can also ensure that managers remain on guard for automated systems glitches and avoid unfortunate offboarding debacles, such as allowing a clearance-monitoring system to disable the wrong people’s access to classified data.