Episode 26 — Safeguard 5.3 – Disable dormant accounts

Safeguard 5.3 requires organizations to detect and disable dormant accounts—user identities that have not been used for an extended period, typically forty-five days or more. Dormant accounts are among the most overlooked attack vectors in enterprise environments. When active but unused, they retain system access rights and credentials that can be exploited by adversaries without immediate detection. Attackers often target such accounts to establish persistence or escalate privileges because legitimate users rarely notice unusual activity associated with them. By identifying and deactivating these accounts, enterprises dramatically reduce opportunities for unauthorized access. This safeguard enforces the principle that every active credential must serve a verified, ongoing business function, and that any account lacking such purpose should be promptly disabled or removed.

Implementing this safeguard involves automation, monitoring, and governance. Identity and Access Management (IAM) platforms can generate inactivity reports based on login timestamps, flagging accounts exceeding inactivity thresholds. Integration with HR systems ensures that changes in employment status automatically trigger account deactivation. Logging and alerting systems should record and notify administrators when dormant accounts are detected or reactivated, supporting accountability and auditing. Exception processes must be documented for accounts that require extended inactivity, such as service or project-based users, with explicit justification and periodic review. Regular validation ensures that the environment remains free of stale credentials, supporting compliance and reducing insider risk. Over time, this safeguard fosters a culture of continuous hygiene—where inactive access paths are not simply ignored but systematically removed before they can become liabilities.
 Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.