Account management: The underestimated risk of forgotten user accounts

10. April, 2024

Account management is an important part of cyber hygiene, which includes measures to defend against digital threats and maintain the integrity of systems and data. A well-organised environment helps to maintain visibility and is essential for IT security.

What is an account and what is account management?

Account management – the comprehensive management of account and access data – is a security practice that often receives too little attention. If these are not managed properly, they can easily become unintended gateways for attackers. Several international cybersecurity guidelines and standards, such as the Centre for Internet Security’s CIS Controls, include specific points on account management. As part of Identity and Access Management (IAM) in IT systems, it refers to the use of processes and tools to assign and manage privileges for user accounts, including administrator accounts, as well as service accounts, corporate resources, and software.

An account generally refers to a user account or type of digital identity that allows a particular user or device to access specific resources, services or functions in a computer system, network, or application. An account typically consists of a username and password or other form of authentication that allows the user to log on to the system and access its functions. Accounts can exist locally on a specific system/device or be managed centrally, for example, for a cloud service or an entire corporate environment.

Why is account management so important in IT access management?

In general, accounts with high access privileges and/or accounts that have not been used for a long time are considered particularly critical. Their use and access should therefore be continuously monitored to regularly identify anomalies. Inactive accounts should be disabled accordingly to minimise the security risk.

Even seemingly insignificant access options should not be overlooked in order to identify and avoid even the smallest gaps. Accounts that appear to be trivial can be a source of danger by providing basic access to any system. Minimal access to an internal system is often enough to exploit security holes. This can be used to bypass access restrictions, elevate privileges, or perform other malicious actions. Systems that have been compromised in this way can provide a sufficient gateway to spread through the internal network and attack subsequent systems. In the past, some significant cyber security incidents have been attributed to such causes.

Which types of accounts have high priority?

Standardised default accounts from the manufacturer are a popular gateway. Many devices and systems come with preset default usernames and passwords to make it easier to set up software, operating systems, or devices for the first time. This information is known to the public – and to attackers. Cybercriminals use automated tools to search the Internet quickly and easily for systems with active default accounts.

However, expired, and unused accounts can also be a major security risk. These could be user accounts of former employees, temporary team members, or customer and guest accounts that are no longer in use. All of these can be back doors where it is no longer clear who has the credentials. Without monitoring, unauthorised access attempts can easily go unnoticed. In addition, these accounts may have outdated passwords or security settings that have not been updated, making them easier to crack.

What are the recommendations and best practices for account management?

The importance of managing and controlling access data is emphasised in any comprehensive security model. This is often a subset of “access management” for IT resources. Account management covers several important precautions and aspects, including:

Default accounts and passwords: These should be changed or removed immediately. All affected systems in your own environment should be identified and cleaned up, including home and air conditioning systems, room control systems and similar low-profile IoT devices.
Regular review and inventory: Temporary accounts should always have a realistic automatic expiry date. Inactive accounts should be deactivated after a few cycles to remove the opportunity for further attacks. Accounts that are no longer needed should be deactivated and, if possible, deleted completely. This will reduce the attack surface.
Access controls and privilege management: Limit the privileges of all accounts, especially standard accounts, to the minimum necessary. Accounts with high privileges, such as special administration and configuration rights, should never be used for day-to-day work.
Training and awareness: Make employees aware of the risks of poor account management and train them in how to deal with them.
Account sharing: Avoid using shared accounts for more than one person or device. Often created for convenience and history, these access options pose a particularly high risk. Over time, it is often unclear who has access to the data and who still has and needs access.

Account management as an essential part of the cyber hygiene process

Managing access accounts to your systems and resources is an important aspect of cyber hygiene that is often overlooked. By implementing best practice security standards for managing access accounts, organisations can significantly reduce the risk of security breaches.

Any uncontrolled access to an organisation’s systems can be a potential vulnerability. Especially for low-profile systems such as IoT devices, manufacturer default accounts pose a significant security risk. Employee awareness and training, as well as regular review and adjustment of security settings, are critical. By combining different approaches, organisations can more effectively protect their systems and data from unauthorised access.