Close this search box.

How to Avoid Getting Spooked by Ghost Accounts and Shadow IT

Ghost Account

It’s spooky season, but that doesn’t mean it’s the only time to heighten your security defenses when it comes to insider threats that can put your organization at risk.

While 78% of insider threats aren’t malicious, they can still have significant negative impacts on your organization’s security framework. Well-meaning employees unintentionally put corporate data at risk during the normal course of their work, often by accidentally falling prey to phishing techniques where they may share data through unmanaged, unapproved applications, devices, or services. And overlooked, seemingly inactive accounts from previous employees that go unmonitored can serve as an easy entry point into your organization as well.

These insider threats have the potential to haunt your dreams, but if you’re aware of them and proactively manage and monitor them, you can set your enterprise up to defend against them. This Halloween, we’re digging into ghost accounts and shadow IT and the risks that may be looming in your enterprise to shine a light on eerie behavior you should keep an eye on.

Unwrapping Ghost Accounts and Shadow IT

Ghost Accounts

There are many reasons employees separate from organizations. Whether it’s self imposed through the Great Resignation or a part of a larger tough business decision, every organization experiences turnover in some form or fashion – and the security implications of that should not be lost in the process.

Ghost accounts or ghost followers are often referenced in relation to social media, but for enterprises ghost accounts are unused online accounts of employees who are no longer affiliated with the organization. While there are many potential reasons for the separation, one thing is for certain: these accounts pose risk to enterprises.

Depending on the previous role of the former employee and their level within the organization, these accounts may have access privileges that could cause a vulnerability should they get into the hands of bad actors. Since these accounts are unmonitored and not updated, if the account falls outside of password policies, the potential for account takeover (ATO) using compromised credentials creates an opening into your enterprise for malicious activity.

Shadow IT

Shadow IT is the use of unapproved applications or services that fall outside the purview of the security team. Employees typically use these services innocently, but the fact is without the proper oversight, shadow IT lends itself to security vulnerabilities that can wreak havoc on your organization.

This risk is especially prevalent with Bring Your Own Device (BYOD) being so widely accepted and the threat of malware impacting organizations where unmanaged or personal devices are used for work. Moreover, the use of shadow IT should be a cause for concern because already overwhelmed IT security teams struggle to keep up with securing what they do know about, the added burden of applications they don’t know about could leave anyone running scared.

Beware the Risks of Ghost Accounts and Shadow IT

Insider threats offer more tricks than treats. Not having insights into the full attack surface can leave teams scrambling when something goes awry, like a ghost account being compromised by an ATO attack or shadow IT in the form of a personal device with a malware infection siphoning credentials that serve as the entry point for criminals.

Ghost accounts pose risks because they are an often overlooked entry point into your organization. If an account isn’t on the security team’s radar, how can they effectively monitor it? Passwords related to ghost accounts aren’t getting updated on a regular basis if at all, leaving the potential for criminals to take advantage of compromised credentials. By using stolen authentication data, bad actors can pose as a legitimate user and change access privileges to perpetrate nefarious activity within the network such as launching a ransomware attack, leaving your organization at their mercy.

This exact scenario happened at an organization where a high-level administrator passed away but their account was left active because it was connected to certain business services. A breach of that ghost account allowed criminals to access corporate data, exfiltrate data, and ultimately deploy ransomware.   

Shadow IT puts your organization in a vulnerable state because unmanaged or unauthorized applications or accounts also can’t be effectively monitored by the security team. What’s worse, if employees access corporate accounts on a personal device infected with malware, the malware siphons all kinds of data from an infected system including:

  • The device details
  • Authentication data like credentials and cookies for applications like SSO and VPN
  • Users’ exact credentials and patterns in the habits they choose, which could enable future compromises even after the infection is mitigated

These exposures are extremely serious because they’re an exact match for what the user is actually logging in with, from their browser fingerprint to their passwords, giving bad actors the literal keys to your organization. And even when security teams wipe the device of the malware, the siphoned data is already in criminals’ hands.

Don’t Get Spooked by Ghost Accounts and Shadow IT

Insider threats aren’t limited to these two examples, but being aware of these risks and how to handle them can be a first step in proactively preventing attacks that stem from these threats.

To stop ghost accounts and shadow IT from becoming your team’s next security nightmare, take these steps:

Enforce security policies to manage infrastructure risks.

When employees leave the company, follow all security protocols to properly disable and delete these accounts so they don’t serve as an entry point into your organization. Ensure employees are only using approved applications and devices to access corporate accounts to reduce the risk of compromised credentials due to malware infections on unmanaged devices.

Proactively monitor for compromised credentials from your domain.

Criminals exploit credentials that have been exposed in third-party data breaches to access sensitive business and customer data and launch cyberattacks. Since stolen information stays on the criminal underground for a long time, and typically breaches aren’t made public until months or even years after the initial attack, ghost accounts can still come back to haunt you. Monitoring for compromised credentials for all accounts across your domain, and building in training and enablement on the impact of inactive accounts with these credentials, can help reduce the risk of account takeover and follow-on ransomware attacks.

Take comprehensive steps to respond to compromised assets.

Remediating compromised assets is a no-brainer; password resets that follow security guidelines are a quick fix to protect against attacks stemming from stolen credentials. However, additional steps are necessary when malware infections are detected. Not only should devices be wiped, but additional steps should be taken to remediate all compromised applications post infection to ensure bad actors can’t use them to walk right in and launch a ransomware attack. 

Despite employees’ best intentions – and even after they’re no longer with the company – they can still leave your enterprise vulnerable to cyberattacks. But armed with the awareness of the risks associated with ghost accounts and shadow IT, you can better prepare and prevent risks that result from these insider threats.  

Learn how you can minimize the risk of insider threats opening the doors to ATO and ransomware.
Recent Posts

Check Your Company's Exposure

See your real-time exposure details powered by SpyCloud.

Meet SpyCloud at Black Hat — Booth #4424!   Book a meeting →

Close this search box.