Orphan Accounts Cleaning
best practice
Summary
Attackers create new or reuse existing accounts. Orphan accounts are a preferred target because their compromise is stealthier. Orphan accounts augment the attack surface without necessity. Having a strong process that prevents, detects, deactivates, and deletes orphan accounts through systematic account correlation mitigates this risk.
CMM Level 1: Initial
The identification and cleaning of orphan accounts is ad hoc. Accountability for the process is not clearly established and resources are not provided by the organization. The presence of orphan accounts is largely unknown.
CMM Level 2: Repeatable
The organization provides resources for the process. Correlation of accounts is performed but its scope is not clearly defined. Some orphan accounts are regularly identified and remediated.
CMM Level 3: Defined
Procedures define requirements applicable to the prevention, identification and remediation of orphan accounts.
Roles and responsibilities for this process are clearly established. Typical actors include IT owners, business owners, system administrators, provisioning teams, and information security.
The scope and methods used for account correlation are clearly defined. If portions of the information system are not covered by the process or infrequently covered, this is documented and related risks are accepted.
Account naming conventions are authorized, documented, and maintained.
Accounts non-compliant with the authorized naming conventions are remediated.
Golden sources for identity correlation are defined.
CMM Level 4: Quantitatively Managed
The discovery and correlation of accounts is preferably automated when technically feasible. When technically unfeasible, the discovery and correlation of accounts is performed manually.
The presence of uncorrelated accounts is quantified.
The coverage of the correlation process is quantified.
The delay between uncorrelated account identification and remediation is quantified.
CMM Level 5: Optimizing
Independant audits review both the presence of orphan accounts and the overall process.
The root causes of the presence of orphan accounts in the information system are analyzed and used to further prevent their occurence.
See Also
Related Best Practices
https://open-measure.atlassian.net/wiki/spaces/BP/pages/1066467420
https://open-measure.atlassian.net/wiki/spaces/BP/pages/1538457929
Bibliography
Quotes are only visible to subscribed members.
Filter by label
There are no items with the selected labels at this time.
Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.
This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.