{"id":55036,"date":"2025-12-15T15:39:24","date_gmt":"2025-12-15T20:39:24","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=55036"},"modified":"2025-12-15T15:42:02","modified_gmt":"2025-12-15T20:42:02","slug":"forsaken-servers-apis-apps-accounts-find-and-protect","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/forsaken-servers-apis-apps-accounts-find-and-protect\/55036\/","title":{"rendered":"Forgotten IT infrastructure: even worse than shadow IT"},"content":{"rendered":"

Attackers often go after outdated and unused test account<\/a>s, or stumble upon publicly accessible cloud storage containing critical data that\u2019s a bit dusty<\/a>. Sometimes an attack exploits a vulnerability in an app component that was actually patched, say, two years ago<\/a>. As you read these breach reports, a common theme emerges: the attacks leveraged something outdated: a service, a server, a user account\u2026 Pieces of corporate IT infrastructure that sometimes fall off the radar of IT and security teams. They become, in essence, unmanaged, useless, and simply forgotten. These IT zombies create risks for information security, regulatory compliance, and lead to unnecessary operational costs. This is generally an element of shadow IT \u2014 with one key difference: nobody wants, knows about, or benefits from these assets.<\/p>\n

In this post, we try to identify which assets demand immediate attention, how to identify them, and what a response should look like.<\/p>\n

Physical and virtual servers<\/h2>\n

Priority: high.<\/strong> Vulnerable servers are entry points for cyberattacks, and they continue consuming resources while creating regulatory compliance risks.<\/p>\n

Prevalence:<\/strong> high<\/strong>. Physical and virtual servers are commonly orphaned in large infrastructures following migration projects, or after mergers and acquisitions. Test servers no longer used after IT projects go live, as well as web servers for outdated projects running without a domain, are also frequently forgotten. The scale of the problem is illustrated by Lets Encrypt statistics<\/a>: in 2024, half of domain renewal requests came from devices no longer associated with the requested domain. And there are roughly a million of these devices in the world.<\/p>\n

Detection: <\/strong>the IT department needs to implement an Automated Discovery and Reconciliation (AD&R) process that combines the results of network scanning and cloud inventory with data from the Configuration Management Database (CMDB). It enables the timely identification of outdated or conflicting information about IT assets, and helps locate the forgotten assets themselves.<\/p>\n

This data should be supplemented by external vulnerability scans that cover all of the organization\u2019s public IPs.<\/p>\n

Response:<\/strong> establish a formal, documented process for decommissioning\/retiring servers. This process needs to include verification of complete data migration, and verified subsequent destruction of data on the server. Following these steps, the server can be powered down, recycled, or repurposed. Until all procedures are complete, the server needs to be moved to a quarantined, isolated subnet.<\/p>\n

To mitigate this issue for test environments, implement an automated process for their creation and decommission. A test environment should be created at the start of a project, and dismantled after a set period or following a certain duration of inactivity. Strengthen the security of test environments by enforcing their strict isolation from the primary (production) environment, and by prohibiting the use of real, non-anonymized business data in testing.<\/p>\n

Forgotten user, service, and device accounts<\/h2>\n

Priority: critical.<\/strong> Inactive and privileged accounts are prime targets for attackers seeking to establish network persistence or expand their access within the infrastructure.<\/p>\n

Prevalence:<\/strong> very high.<\/strong> Technical service accounts, contractor accounts, and non-personalized accounts are among the most commonly forgotten.<\/p>\n

Detection:<\/strong> conduct regular analysis of the user directory (Active Directory in most organizations) to identify all types of accounts that have seen no activity over a defined period (a month, quarter, or year). Concurrently, it\u2019s advisable to review the permissions assigned to each account, and remove any that are excessive or unnecessary.<\/p>\n

Response:<\/strong> after checking with the relevant service owner on the business side or employee supervisor, outdated accounts should be simply deactivated or deleted. A comprehensive Identity and Access Management system (IAM)<\/a> offers a scalable solution to this problem. In this system, the creation, deletion, and permission assignment for accounts are tightly integrated with HR processes.<\/p>\n

For service accounts, it\u2019s also essential to routinely review both the strength of passwords, and the expiration dates for access tokens \u2014 rotating them as necessary.<\/p>\n

Forgotten data stores<\/h2>\n

Priority: critical.<\/strong> Poorly controlled data in externally accessible databases, cloud storage and recycle bins<\/a>, and corporate file-sharing services<\/a> \u2014 even \u201csecure\u201d ones \u2014 has been a key source of major breaches in 2024\u20132025. The data exposed in these leaks often includes document scans, medical records, and personal information. Consequently, these security incidents also lead to penalties for non-compliance with regulations such as HIPAA, GDPR, and other data-protection frameworks governing the handling of personal and confidential data.<\/p>\n

Prevalence:<\/strong> high<\/strong>. Archive data, data copies held by contractors, legacy database versions from previous system migrations \u2014 all of these often remain unaccounted for and accessible for years (even decades) in many organizations.<\/p>\n

Detection:<\/strong> given the vast variety of data types and storage methods, a combination of tools is essential for discovery:<\/p>\n