Steve ThomsonImplementing Cyber Asset Management to Eliminate Dormant Accounts and Inactive Workstations
With companies having to deal with an increasing number of potential targets for cyberattack, there has been a growing emphasis on managing their attack surface. The use of CAASM (Cyber Asset Attack Surface Management) has become more prominent as a result.
Much of the talk around CAASM is focused around three subsets.
- CAM (Cyber Asset Management) - discovering workstations accessing corporate resources that the IT team don’t know about.
- Cyber Hygiene - identifying workstations and servers that are not properly protected.
- IAM (Identity Access Management) - managing the user accounts and privileges.
Dormant Accounts and Inactive Workstations, however, continue to be overlooked, despite the impact on security and the significant cost implications.
Why do Dormant Accounts pose a risk?
User accounts that have not been used for an extended period but have not been disabled or removed are referred to as Dormant Accounts. These accounts may belong to former employees, contractors, or vendors who no longer require access to your cloud systems or data. Not only do they pose a security risk as a potential entry point, but they are still being paid for.
Ideally the onboarding/offboarding procedures are bullet-proof and this problem doesn’t exist. In practice though, when managing large estates with significant changes in both personnel and services year-on-year, it is extremely challenging to maintain a tight ship. An overarching asset management system that connects to all the different cloud systems, can clearly identify these redundant accounts.
The good news is, that once identified, they are easy to tidy up, close the security gaps and reap the cost savings. We have seen some quite staggering cost savings achieved from redundant accounts. It should be remembered that this is not a one-off job, continual independent monitoring of the whole estate’s assets and cloud services is essential to maintain the correct access permissions.
How are Inactive Workstations a risk?
Computers or devices that have not been used for an extended period or have been retired, but not decommissioned, are known as Inactive Workstations. These machines can pose a significant security risk as they may contain sensitive data or software that is no longer patched or updated. They may also have software installed that is being paid for on a subscription but no longer needed.
Identifying inactive workstations can be a challenge, even more so than dormant accounts, but it is critical for ensuring the security of the entire estate. To determine whether a workstation is inactive, it is important to look beyond a single security tool. Agents can malfunction (surprisingly common), fail upgrades, or be uninstalled, and any of these scenarios could lead to the workstation appearing to be offline in an individual security console. If an inactive workstation is identified, it should be removed from all directory services and security consoles.
Utilising CAM to overcome the challenge.
Every IT team is aware of this challenge and will have utilised one or more of the following to manage their assets; SIEMs, CMDBs, Network scanners, InTune, spreadsheets, or any other single agent-based software. However, all of them will only show part of the picture of an IT environment. In today's fragmented IT space, it is only possible to build a total and accurate understanding of an entire environment by ingesting, correlating, and aligning all the relevant data sources from each cloud service and security tool. Consolidating this into a Cyber Asset Management platform, to create a single source of truth, will not only discover all the dormant accounts and inactive machines, but also enable asset discovery and security control verification.