InfoSecurity Magazine recently published an article that blames cavalier attitudes about password management for a new era of data breaches. The article says that a fundamental lack of IT security awareness in enterprises, particularly in the arena of controlling privileged logins, is potentially paving the way for a further wave of data breaches.
The author cites a survey from Lieberman Software of IT security professionals. In the survey, 13% of IT security pro’s interviewed at the RSA Conference 2014 in San Francisco admit to being able to access previous employers’ systems using their old credentials.
Perhaps even more alarming is that of those able to get access to previous employers’ systems nearly 23% can get into their previous two employers’ systems using old credentials. And, shockingly, more than 16% admit to still having access to systems at all previous employers Lieberman reports. Philip Lieberman, CEO and president of the company, told InfoSecurity in an interview that he blames executives who are satisfied with only meeting minimum security requirements.
Investments in security for technology, people, and processes have been meager, at best, in most organizations for many years … many C-level executives have been strongly discouraged from implementing anything other than the minimum security required by law.
The survey also showed a communications breakdown between the IT Pros and management. Nearly one in five respondents admit that they do not have, or don’t know if they have, a policy to make sure that former employers and contractors can no longer access systems after leaving the organization according to the article.
The survey also found that current employees are also a concern. The InfoSecurity article says that almost 25% of employees surveyed said that they work in organizations that do not change their service and process account passwords within the 90-day time frame commonly cited as best practice by most regulatory compliance mandates. Lieberman pointed out that users who run with elevated privileges can introduce all sorts of IT headaches by downloading and installing applications, and changing their system configuration settings. CEO Lieberman warned that an organization would be wise to strictly control and monitor the privileged actions of its users by:
- Get control over privileged accounts. Start by generating unique and complex passwords for every individual account on the network – and changing these passwords often (no more shared or static passwords).
- Make sure you’re securely storing current passwords and making them available only to delegated staff, for audited use, for a limited time (no more anonymous and unlimited privileged access – for anyone).
- Automate the entire process with an enterprise-level privileged identity management approach. Mr. Lieberman argues, “when users exhibit poor behavior while logged into their powerful privileged accounts, you can be immediately alerted and respond to the threat.”
Mr. Lieberman told InfoSecurity that In the wake of the Edward Snowden / NSA scandal and the Target breach, one would think that corporations would feel that minimizing the insider threat and the attempts of sophisticated criminal hackers to groom those with privileged accounts would be of tantamount importance. But, Lieberman cited a “half-life mentality of opening the pocketbook for security investments immediately after a data breach occurs, but then diminishing back to basic security after a few months.”
rb-
When an employee leaves the company, it’s imperative to ensure that he or she is not taking the password secrets that can gain access to highly sensitive systems.
To back this up, Verizon’s 2013 annual Data Breach Investigations Report says that more than three-quarters (76%) of network intrusions relied on weak or stolen credentials – a risk that Verizon describes as “easily preventable”.
Creating Privileged Accounts:
- Never issue direct access to Administrator or Root, create a unique alias.
- Require password complexity, history and expiration.
Disabling Privileged Accounts:
- Get the termination notice in writing from someone up the food chain before acting, then disable the account ASAP.
- Disable the account, Lock the account, Change the password.
- Don’t change the user name or delete the account until you are sure. Prematurely removing an Admin Account could break some applications or connectors.
- Don’t forget about other accounts, email, VPN, wipe mobile devices, access control PINs.
Related articles
- Protecting Against the Insider Threat (duosecurity.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.