Mark Fullbrook, Cyber-Ark: I.T.’s Dirty little secret – Privileged Passwords
January 2009 by Mark Fullbrook, UK and Ireland Director, Cyber-Ark
You have a gaping hole in your security. Actually, let me rephrase that. MOST of you have a gaping hole in your security. It’s really big. It’s huge. It’s the kind of hole that when you think about it, it keeps you awake at night, worrying about how little you can do if someone actually takes advantage of it. It’s the kind of hole that most people would rather not think about, so they push it to the back of their mind. They don’t talk about it. Its I.T’s dirty little secret.
What is this huge security risk? It’s the potential abuse of Privileged Accounts and in the current financial environment, with companies either downsizing I.T staff or asking them to accept pay cuts, it’s more of a risk than ever.
Privileged Accounts are those accounts that many I.T staff use to carry out their day to day tasks. They allow those users to carry out ANY task on the system they are working on, whether it’s a desktop, server, database, application or appliance. So what’s the problem? Where’s the risk? The risk is that these accounts are, in the vast majority of cases, completely generic. All of the staff uses the same login name and password for each system; in some companies they may use the same login and password for many systems. This means there is no way of establishing who did what or when. What’s worse is that as there are so many of these accounts, many companies no longer bother to change the passwords with any kind of regularity. People change roles, yet still know the passwords to systems that they should no longer have access to. So now you have not only a list of authorised users who could be responsible for a data breach, but also a list of everyone who ever had access to that system (or at least had access to the system since the password was last changed).
But surely this only becomes an issue if you have untrustworthy staff? That’s not an issue for your company! You can look around your team and know that each and every one of them would never consider abusing the trust that is placed with them! How about your developers? How about your third party support staff? How about staff in other teams or the guy who left last year to go to one of your competitors?
The potential of insider threat is the number one risk within today’s Enterprise, and within any Enterprise the most technically aware staff are the I.T staff themselves. Knowing this, most companies still spend more on stopping John in sales or Caroline in accounts from accessing Facebook or an instant messaging application than they do on preventing the misuse of these highly sensitive privileged accounts. The statistics speak for themselves. Verizon recently stated that 57% of breaches they surveyed over a four year period were committed by either an internal user or a business partner who had access to systems. They further stated that in the case of insider abuse over 50% of the breaches involved I.T Staff.
At Cyber-ark, we conduct a survey amongst the IT community on an annual basis that includes a very simple question. “Have you ever used a privileged password to access information that was NOT relevant to your role?”
On average 33% of people who respond say they have. When asked if they would consider taking a form of sensitive data from their present employer if they ever left, over 85% said they would.
When I hear of companies that have not outlined a solution or strategy to deal with Privileged Accounts I liken it to building a prison with a huge tunnel to the outside. You can spend whatever you want on guards, fences, camera’s and locks, but if you don’t guard the tunnel, you may as well not bother.
Implementing a solution to safeguard against this type of threat is the only way forward and whether you decide to invest in a manual process or an automated vendor based product, you should ensure that it meets these three criteria:
1. Ensure your solution provides a safe and reliable place to store passwords.
Wherever you decide to store these highly sensitive passwords, you need to ensure it’s safe and secure. You need to make sure that only those that should have access to a particular password have access to it. Consider the administrators of the location. Can they see the data that resides within it? What would happen if you lost the system? Would that mean you lost the passwords? Ensure you have a fully redundant system that allows for any kind of failure.
2. Ensure you have the means to change passwords as regularly as possible. Use a one-time password if possible.
You can have the most secure location in the world for your privileged passwords but it will be completely undermined if you don’t change the passwords to systems as frequently as possible. Most quality automated products will allow you to change the password on a destination system every time a user requests the current password; some are even allowing users to connect to the destination system via their own GUI, without ever seeing the password. This allows you to change passwords less frequently.
3. Make is as easy as it can be for your users to go about their daily tasks.
Any security process you implement shouldn’t make your users lives more difficult. Although processes need to be secure, any solution should try to minimise impact.
By following this advice, you can be sure that when your head next hits your pillow you can sleep soundly. That gaping hole will have been filled and I.T’s dirty little secret will be keeping someone else awake instead.