IT pros spin up accounts. Threat actors look to take them for a spin.
Test accounts help an IT pro who needs to quickly onboard new employees, or configure a new application, or check a database connection. The setups are valuable ways of testing a proof of concept—as long as administrators remember to get rid of the proof.
Former system admins who spoke with IT Brew shared their experiences working fast and creating test accounts. The problem with test accounts spun up quickly? They run the risk of being misconfigured or exposed to the internet, the former system admins said.
“Oftentimes these test environments don’t have the same level of technical cybersecurity controls,” Andy Thompson, a former senior admin for multiple organizations and current offensive cybersecurity research evangelist at identity management company CyberArk, told IT Brew.
Deep passes, big fumbles. Before becoming a solutions architect at identity security company One Identity, AJ Lindner created test accounts as an identity governance engineer at a financial institution. That meant deploying test accounts in development environments and occasionally, the big stage, or what he refers to as production.
“Even though you don’t always want to, sometimes you have to test things in production because there are things you don’t have replicated in your test environment—or even if you do, it’s not quite accurate to what you see in production. So, you just sometimes have to throw a Hail Mary, hope for the best, and run those tests,” Lindner said.
And sometimes you get intercepted. In January, Microsoft notified customers of a corporate system attack that began with a correct password guess on “a legacy non-production test tenant account,” according to the vendor. (Microsoft did not respond to a request for an interview.) Developers and system administrators, according to Verizon’s 2023 Data Breach Investigations Report (DBIR), committed the most errors that led to breaches. The top three snafus: misdelivery, publishing errors, and misconfiguration.
“It is hardly surprising that those who have more responsibility for maintaining the data and the upkeep of the environment are also those who are more frequently responsible,” the DBIR read, referencing compromises.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“Levels of unsafe.” For speed’s sake, test accounts are often configured more quickly, without the safer features.
Paddy Harrington, senior analyst at advisory firm Forrester, said a common practice for many IT shops is the use of admin accounts for new OS build setups, often with easy-to-remember credentials that all the admins in the environment know. So, no extra security features like multifactor authentication (MFA) that add time to the process.
“If you’re constantly changing this thing all the time, or you’re tying it directly to whatever your multifactor authentication is, you have to have a lot of features and functions out there. You’ve got to have the one-time password generators and all these other things available to a larger team,” Harrington told IT Brew.
“There are so many levels of unsafe in this; it’s not even funny, but everyone does it just because it simplifies the workflow,” Harrington added.
Microsoft later said in a post-compromise statement: “If the same team were to deploy the legacy tenant today, mandatory Microsoft policy and workflows would ensure MFA and our active protections are enabled.”
Separation, anxiety. A secure process for test account creation, Harrington told IT Brew, includes getting permission from a manager, logging the changes and disablement of the account, and then confirming changes with the manager.
For Tim Witos, VP of information security at healthcare supplier McKesson and member of the IT security risk reduction initiative Health 3rd Party Trust Council, account management calls for separation of roles and responsibilities. In other words, the person who administers the identities, managers, usernames, and passwords should not be the person who administers the software.
“When someone needs a test account, they have to request that test account from a different person or a different team. That team will have oversight into what privileges that test account has given,” Witos said.
The challenge there is that many IT pros, like everybody else, want to get tasks done quickly, even if a Hail Mary to production is involved.
“People are looking to do it the easiest way—the fastest way,” Thompson said.