Unauthorized IT Admin Accounts
by Tim Keeler, on Feb 25, 2016
Admin accounts have been around for decades because they have been viewed largely as a benefit to the company, despite all of the inherent risks associated with them. As technology continues to evolve at an incredibly rapid pace, it has become essential that businesses ensure there is continuous inventorying of these accounts to protect the data that can be accessed through the admin accounts. The initial purpose of these accounts was to provide access to a lot of different areas based on a single login, or in some cases a few predetermined logins. This avoided having to create IT accounts that were highly specialized based on the user’s role.
At the time this was a logical decision, but there have been many instances when admin accounts have proven to have higher security risks than benefits.Admin accounts have been around for decades because they have been viewed largely as a benefit to the company, despite all of the inherent risks associated with them. As technology continues to evolve at an incredibly rapid pace, it has become essential that businesses ensure there is continuous inventorying of these accounts to protect the data that can be accessed through the admin accounts. The initial purpose of these accounts was to provide access to a lot of different areas based on a single login, or in some cases a few predetermined logins. This avoided having to create IT accounts that were highly specialized based on the user’s role. At the time this was a logical decision, but there have been many instances when admin accounts have proven to have higher security risks than benefits.
Because of risks ranging from IT staff creating their own, unauthorized accounts to unauthorized personnel gaining access to areas they shouldn’t be able to gain entrance to, it is perhaps time to stop using this method of granting access to vast amounts of data and privileges. Security companies are coming up with new and better ways of giving limited abilities to IT staff when they are needed.
What Is an Admin Account?
Administrator accounts, more commonly called admin or privileged accounts, provide IT staff a way of accessing information and completing tasks for the company. You can call them a necessary evil because IT staff need to be able to access many different areas to complete their work. Typically, they will do this under an umbrella login, the admin account, so that the company does not have to create several different accounts with access to nearly every aspect of the company. This has been considered one of the best ways to provide access so that IT staff do not have access to other departments when logged in as themselves.
Where It Goes Wrong
One of the biggest drawbacks of an admin account is that the accounts lack an audit trail. When you have six people in a department who can all use the same account, there is no way to tell who did what. It is an even greater risk if the account information is posted in a place that can be accessed by anyone in the company or even walk-ins. It is not unheard of that an IT department or executives stored the admin account login information in an unsecured area, and that information was stolen and exploited by people who were unauthorized to use the admin account.
Another serious defect of admin accounts is that they can act as a backdoor by untrustworthy people if these accounts are either not known to exist or if they are not closed once they are replaced with something else. For example, if you have someone in the IT department who does not want to have to spend hours on the server room when there is a problem, that person can create an admin account and manage the same work from a desk located elsewhere. In all likelihood, that admin account was not authorized, so no one knows that it exists. When that employee leaves, it is still possible to use that account to access the same information. Since no one else knows about that account, no one knows that it needs to be closed.
Even when admin accounts are legitimate, you have to maintain continuous inventorying to ensure that the accounts are monitored and maintained according to current practices. If an account is no longer required, it needs to be removed as quickly as possible to ensure the company’s data is not compromised.
There are companies that actually make their admin accounts available to a wide range of employees, many of whom do not need that level of access. In these situations, it is usually a “worst kept secret” what that account is, and there is no tracking on who accesses areas that really need to be secured. Continuous inventorying of these accounts can help, but what is really needed is much stricter control over the login information.
Columbia Sportswear and Denali – An Admin Account Cautionary Tale
The legal case that Columbia Sportswear built against a former employee is a case study in just how dangerous admin accounts can be. A former Columbia Sportswear employee left to work at Denali. The legal action alleged that the employee created an administrator account prior to leaving. Once the employee was gone, he accessed the account more than 700 times. In addition to this admin account that no one else knew about, he accessed an old admin account that had been created for continuous inventorying of network activity.
Columbia Sportswear is a sporting goods store, and Denali is a software company. The problem was that the former employee was accessing the email accounts of Columbia Sportswear employees to see what decisions were being made, particularly regarding the IT infrastructure. The former employee seems to have helped Denali gain an advantage over other software companies. One of the most notable was Denali becoming an approved Pure Storage reseller after the former employee had learned that Columbia Sportswear was looking for someone to provide those services.
Of course, there are many more examples of admin accounts being exploited, particularly by black hats who find out what the admin login is, but it is no less of a cautionary tale. There are many reasons to create and provision admin accounts, but many of them are not in the company’s best interest. Without continuous inventorying of these accounts, you are leaving yourself open to many abuses by current and former IT staff, as well as black hats. At a minimum, you need to ensure that your admin accounts are secured and that there are no secret admin accounts. Continuous inventorying is one solution that can help figure out who accessed what and the location used to gain access. This not only improves security but also helps with audit and compliance reporting.