Study reveals major security flaws in most enterprises

Privileged passwords are the non-personal passwords that exist in virtually every device or software application in an enterprise, such as root on a UNIX server, Administrator on a Windows workstation, and Cisco Enable on a Cisco device.

Completed by more than 140 IT professionals, the 2006 Privileged Password Survey reveals that privileged passwords are far more common in enterprises than previously thought: approximately one-half of all enterprises contain more privileged passwords than individual ones. Second, although these privileged passwords provide “super-user” system access, the survey exposes that up to 42% are never updated, a frightening prospect in today’s environment of increased audits and hacker attacks. In fact, half of the IT professionals surveyed reveal that they’re concerned about audits, and 6 out of 10 state that their organization has been hacked.

Often, the reason privileged passwords are rarely updated is a simple one: many enterprises still manually change these key passwords and as one IT Executive from a Fortune 500-sized company states: “manually changing thousands of passwords across hundreds of databases is simply impractical.”
Approximately half of all enterprises have more privileged passwords than personal ones

According to the 2006 Enterprise Privileged Password Survey, the typical enterprise contains:

” More than 500 employees, and each employee has an Administrator account associated with their workstation (72%)
” More than 500 servers with privileged password accounts (44%)
” More than 100 routers with privileged password accounts (41%)
” More than 100 software applications (71%), most of which connect with other applications (92%)

Although privileged passwords provide “super-user” access to a target system, the survey shows they are far less likely to be updated. Respondents report that 99% of individual passwords are updated, however for privileged passwords:

” 13% of ROUTER privileged passwords are never changed
” 21% of LOCAL WORKSTATION privileged passwords are never changed
” 13% of SERVER privileged passwords are never changed
” 42%of SOFTWARE passwords are never changed

The survey not only revealed that privileged passwords are rarely changed, it also supports that this is a dangerous practice in today’s environment of hacker attacks and increased audit pressure. For example, in survey results:

” 6 out of 10 enterprises report being hacked
” 9 out of 10 enterprises state they’re annually audited for IT practices
” Half of all IT professionals are often or always concerned about passing audits

For more information on managing these privileged user passwords and for the full results of this survey, visit www.cyber-ark.com/survey.asp