June 2024 Security Topic - Digital Blight

Accounts and Passwords

There is a curious debate with some history behind it in the Information Technology and Cybersecurity worlds. It's not about quantum computing, artificial general intelligence, Internet of Things (IoT), wearable technology, augmented reality, or anything developing now or in the future. The debate is really about the past. A problem that cropped up in 1961 at the Massachusetts Institute of Technology (MIT) (Nachreiner, 2018).

Back then computers were rare and expensive. Students and researchers had to share, and MIT used an application called the Compatible Time-Sharing System (CTSS) to manage the sharing. While CTSS managed the time allocations of the users, it did not prevent users from accessing the files and resources of everyone else (Nachreiner, 2018).

The concepts of computing and computers date back as far as 200 BC (Barfield, 2020). But there was never any detailed consideration for privacy, separation, and ownership. The primary focus of mechanical and digital computing was performing calculations and ideally doing it better than human computers. Computers were not generally designed to be secure from the very beginning and throughout their development.

Passwords, firewalls, anti-virus applications and all these things came later. They are not inherent in how computers work. They have limited security incident prevention value on their own. This point is made wonderfully by the American cryptographer Bruce Schneier at the Black Hat Conference in 2000 (Schneier, 2013). Even though his talk is 24 years old, it still provides a great deal of insight into this problem.

A Divisive Question

Armed with that context, onwards to the controversial question. Should we remove old user accounts? Such a simple but shockingly divisive question. The field of Information Technology answer is to keep the accounts just in case often because the related human resources and business processes are not clear. Once user accounts are fully deleted, they can't be recovered. It's a better-safe-than-sorry approach. The common consensus among IT practitioners (at least the ones I have met in my career) is often that there isn't much harm in keeping them.

From the Cybersecurity perspective old accounts can be high risk. Disabling and deleting them is critically important. The professional field often proclaims this as established truth, but it's often not accepted as such. It's in every standard (Joint Task Force Interagency Working Group, 2020) and recommendation from security firms (Steel, 2023) and government agencies (Cyber Essentials, 2020).

Often because these related fields are so technical and complex, we rely on metaphors to communicate ideas in ways that are easier to understand. Part of the reason this issue is not fully understood could be that practitioners incorrectly feel it is self-evident and obvious. We then don't put the work into describing this problem with the appropriate metaphors. This lack of understanding then leads to major cybersecurity incidents such as the Colonial Pipeline hack (Novinson, 2021).

Abandoned Properties / Vacant Buildings

A good metaphor for this problem may be the issue of vacant commercial and residential properties. People and businesses construct buildings to meet their needs. But then over time they move on, nobody buys those buildings, and they sit vacant for many years. Eventually they can decay to the point of presenting a public safety issue. Then they need to be demolished. This resembles the life cycle of user accounts and digital resources very well.

While nobody is actively using a vacant property, it's still there in the community. It needs to be protected from vandalism and theft of contents by police, periodically inspected for fire safety by the fire department, and supported by a public works department (Vacant and Abandoned Properties | City of Batavia NY, 2015). Local governments can spend millions of dollars on supporting and maintaining vacant properties and the often complex issues related to them. It's difficult to even identify how many vacant buildings there are because of the many different reasons for vacancy and the lengths of time involved (Vacant Properties Growing, 2011). Paradoxically, a vacant property may exist for a long time even though no one wants to buy it. Nobody wants them, but nobody wants to pay to tear them down. They are essentially rejected by the market where the most cost-effective choice may be abandonment. Ultimately the public bears the cost and deals with the consequences of that decision (Gordon, 2008).

In 2009 a survey was conducted in Detroit which indicated that a third of the city was vacant land and abandoned buildings. Abandoned spaces provide opportunities for criminal activity but how much and what kinds can be difficult to measure (Raleigh & Galster, 2015). Activities in abandoned spaces are not very well tracked (Vacant Properties Growing, 2011). A term frequently used for vacant properties and the problems they cause is blight (Vacant and Abandoned Properties, n.d.). We can then say that a third of Detroit suffered from this blight in 2009.

Addressing Digital Blight

Unlike a city, however, we can't walk through our digital presence and see the digital blight in our neighborhood. The streets with rows of vacant accounts and empty IT services with people squatting in them. We can't see the financial and employee resources needed to maintain support on them after everyone has left. We can't see the criminal element moving in to leverage the abandoned accounts and services. We don't observe the greater need for cybersecurity professionals to more frequently check in. We need more resources to make blighted areas safe. Digital blight is dangerous and invisible presenting risks and additional costs that many people don't always fully understand.

Hopefully armed with this metaphor we can have a different conversation about old user accounts. Computers are not secure and protected by default. We must manage the risks they present by making good decisions. The importance of disabling and deleting old user accounts and removing unused digital resources should not be taken for granted. It's not an amazing new technology invention, but it's critical to preventing and lessening the impact of cybersecurity incidents.

References

Barfield, R. (2020, September 3). Who invented computers? Bricsys Blog. https://www.bricsys.com/en-eu/blog/who-invented-computers
Cyber Essentials. (2020). Cybersecurity & Infrastructure Security Agency (CISA). https://www.cisa.gov/sites/default/files/publications/Cyber%20Essentials%20Toolkit%204%2020200818_508.pdf
Gordon, C. (2008). Mapping Decline: St. Louis and the Fate of the American City. University of Pennsylvania Press. https://doi.org/10.9783/9780812291506
Joint Task Force Interagency Working Group. (2020). Security and Privacy Controls for Information Systems and Organizations (Revision 5). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-53r5
Nachreiner, C. (2018, September 22). Digital authentication: The past, present and uncertain future of the keys to online identity – GeekWire. Geekwire. https://www.geekwire.com/2018/digital-authentication-human-beings-history-trust/
Novinson, M. (2021, June 5). Colonial Pipeline Hacked Via Inactive Account Without MFA | CRN. https://www.crn.com/news/security/colonial-pipeline-hacked-via-inactive-account-without-mfa
Raleigh, E., & Galster, G. (2015). Neighborhood Disinvestment, Abandonment, and Crime Dynamics. Journal of Urban Affairs, 37(4), 367–396. https://doi.org/10.1111/juaf.12102
Schneier, B. (2013, October 1). Black Hat USA 2000—The Internet and the Death of Security. YouTube. https://www.youtube.com/watch?v=9gKMoCH0tms
Steel, A. (2023, June 29). The Compromised Credentials Crisis: A Challenge Plaguing the Cybersecurity Industry - The LastPass Blog. https://blog.lastpass.com/posts/2023/06/the-compromised-credentials-crisis-a-challenge-plaguing-the-cybersecurity-industry
Vacant and Abandoned Properties | City of Batavia NY. (2015, April 17). Batavianewyork.Com. https://www.batavianewyork.com/home/news/vacant-and-abandoned-properties
Vacant and Abandoned Properties. (n.d.). Department of Financial Services. Retrieved June 14, 2024, from https://www.dfs.ny.gov/consumers/help_for_homeowners/vacant_property
Vacant properties growing number increases communities’ costs and challenges: Report to the Ranking Member, Subcommittee on Regulatory Affairs, Stimulus Oversight, and Government Spending, Committee on Oversight and Government Reform, House of Representatives. (2011). U.S. Govt. Accountability Office.
100% helpful - 1 review