Do you know how many inactive accounts you have on your network? I know this can be a difficult number to determine sometimes.
For most of you, Microsoft Active Directory is "the source of truth." It syncs to Azure/Entra and/or Google Apps and elsewhere.
Most of your one-to-one student initiatives with Chromebooks and other devices don't directly log into that directory. This complicates understanding what is going on.
Plus, you have specialty IDs that someone thought were a good idea fifteen years ago to create for something you quit doing ten years ago.
The reality is that the bad guys are looking for IDs you have lost track of. They are counting on finding them and setting up shop using them.
Over the last two years, 100% of the attacks I have been involved in leveraged IDs like "scan" and "info."
They are boring names.
They blend into the list.
You have to have a continual process to audit your IDs and purge all unnecessary IDs, starting with IDs that have administrative rights. If unsure of their purpose, disable them for a month and see what breaks or who complains. Then, come back and delete them.
Many folks are pretty good at disabling but never make it back for deletion. The bad guys often re-enable these IDs because they know no one is paying attention to a disabled ID. You need to be disciplined in your processes to deny them the opportunity.
You already know that the Comptroller's office technology audits will beat you up on this issue.
And they have good reason to do so.
We have various auditing and vulnerability management tools to help you easily identify and visualize your position regarding disabled and inactive IDs and computers.
They will help you avoid the search criteria the Comptroller's office will use and dramatically improve your overall network security posture.
Call us to discuss how you can better manage your IDs.
-Scott Quimby, Senior Technical Advisor, CISSP
Acture/CSI
You must be logged in to post a comment.