IFSECInsider-Logo-Square-23

Author Bio ▼

IFSEC Insider, formerly IFSEC Global, is the leading online community and news platform for security and fire safety professionals.
January 17, 2009

Nothing found. Please check your show/episode id.

Download

State of Physical Access Trend Report 2024

Privileged passwords: IT’s dirty little secret

You have a gaping hole in your security. Actually, let me rephrase that. Most of you have a gaping hole in your security. It’s really big. It’s huge. It’s the kind of hole that, when you think about it, keeps you awake at night, worrying about how little you can do if someone actually takes advantage of it.

It’s the kind of hole that most people would rather not think about, so they push it to the back of their mind. They don’t talk about it. It’s IT’s dirty little secret.

What is this huge security risk, you’re wondering? It’s the potential abuse of privileged accounts and, in the current financial environment, with companies either downsizing IT Departments or asking the staff within them to accept pay cuts, it’s more of a risk than ever.

Privileged accounts are those that many IT staff use to carry out their day-to-day tasks. They allow those users to carry out any task on the system they are working on, whether it’s a desktop, server, database, application or appliance.

So what’s the problem? Where’s the risk?

The risk is that these accounts are, in the majority of cases, completely generic. All of the staff use the same login name and password for each system. In some companies, they may use the same login and password for many systems. This means there’s no way of establishing who did what or when.

What’s worse is the fact that, as these accounts are ubiquitous, many companies no longer bother to change the passwords with any kind of regularity. People change roles, yet still know the passwords for systems to which they should no longer have access. So now you have not only a list of authorised users who could be responsible for a data breach, but also a list of everyone who ever had access to that system (or at least had access to the system since the password was last changed).

Surely this only becomes an issue if you have untrustworthy staff? That’s not an issue for your company! You can look around your team and know that each and every one of them would never consider abusing the trust that’s placed with them. How about your developers? How about your third party support staff? How about staff in other teams, or the guy who left last year to go to one of your competitors?

The potential of insider threat is the number one risk within today’s enterprise, and within any enterprise the most technically aware members of staff are those residing in the IT Department. Knowing this, most companies still spend more on stopping John in sales or Caroline in accounts from accessing Facebook or an instant messaging application than they do on preventing the misuse of these highly sensitive and privileged accounts.

Internal threats are the greatest

The statistics speak for themselves. Verizon recently stated that 57% of breaches they surveyed over a four-year period were committed by either an internal user or a business partner who had access to systems. In the case of insider abuse, over 50% of the breaches involved IT staff.

At Cyber-Ark, we conduct a survey among the IT community on an annual basis that includes a very simple question: ‘Have you ever used a privileged password to access information that wasn’t relevant to your role?’ On average, 33% of people who respond say that they have. When asked if they would consider taking a form of sensitive data from their present employer if they ever left, over 85% said they would.

When I hear of companies that haven’t outlined a solution or strategy to deal with privileged accounts, I liken it to building a prison with a huge tunnel to the outside. You can spend whatever you want on security guarding, fences, cameras and locks, but if you don’t secure the tunnel, you may as well not bother.

Implementing a solution to safeguard against this type of threat is the only way forward. Whether you decide to invest in a manual process or an automated, vendor-based product, you should ensure that it meets several criteria.

Safe and reliable password storage

Ensure your solution provides a safe and reliable place to store passwords. Wherever you decide to store these highly sensitive passwords, you need to make certain it’s safe and secure. You also need to determine that only those who should have access to a particular password have access to it.

Consider the administrators of the location. Can they see the data that resides within it? What would happen if you lost the system? Would that mean you lost the passwords? What you need in place is a fully redundant system that allows for any kind of failure.

Ensure you have the means to change passwords as regularly as possible. It’s best to use a one-time password. You can have the most secure location in the world for your privileged passwords, but it will be completely undermined if you don’t change the passwords to systems as frequently as possible.

Most quality automated products will allow you to change the password on a destination system every time a user requests the current password. Some are even allowing users to connect to the destination system via their own GUI, without ever seeing the password. This allows you to change passwords less frequently.

Don’t make users’ lives more difficult

Make it as easy as it can be for your users to go about their daily tasks. Any security process you implement shouldn’t make your users’ lives more difficult. Although processes need to be secure, any solution should try to minimise impact.

By following this advice, you can be sure that when your head next hits the pillow you’ll be able to sleep soundly. That gaping hole will have been filled, and IT’s dirty little secret will be keeping someone else awake instead.

Mark Fullbrook is UK and Ireland director at Cyber-Ark

Cyber-Ark will be exhibiting at Infosecurity Europe 2009 – Europe’s leading event dedicated to information security. Now in its 14th year, the show continues to provide an unrivalled education programme, the most diverse range of new products and services from over 300 exhibitors and attracts circa 12,000 visitors from every segment of the industry.

Running from 28-30 April at London’s Earls Court, the show is something of a ‘must attend’ event for all professionals involved in the information security space. See our dedicated link on the right hand panel of this page for more details.

Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted