Not a day goes by without some story hitting the wires about yet another piece of confidential information appearing in somebody’s inbox. Confidential emails, files, financial data, instant messaging data, you name it, find their way into the public domain and overnight a company is faced with a crisis or an individual’s private indiscretions become public property. And regardless of whether or not in some cases there may be am issue of the “greater good”, ultimately questions have to be asked as to why nothing seems to be confidential anymore.
So who can have access to information, and why in spite of all the security that organisations have in their IT infrastructure is this still a daily occurrence? In a recent Cyber-Ark survey of large enterprises over 50% of organisations admitted to rarely if ever changing the passwords for shared accounts in their infrastructure.
In general it appears that security staff are unaware of the extent of the risk. Most are under the impression that privilieged identities are limited to a few systems or processes in an organisation. And yet even a cursory glance reveals that in most enterprises shared accounts which require passwords constitute more than 50% of all accounts in the enterprise.
The result is a class of credentials that are open to abuse and mismanagement. They are not being changed frequently according to the enterprise policy, mainly due to the overwhelming operation that must take place after their change – notifying administrators, changing scripts and applications and setting the passwords in services that use them. There is no accountability for their use – since they are commonly shared. They are often weak and easy to remember. And as a result of the above, the enterprise is regularly driven to set the same password for hundreds or thousands of accounts – making them extremely prone to the domino affect. All of that makes the non-personal users a real vulnerability and substantial threat to any enterprise.
Even more revealing was the admission that although 99% of enterprises enforced password changes for users on their PCs, only 1% changed the administrator password on the same device, and in the vast majority of cases the administrator password was the same on every PC in the company. In many enterprises today the task of system management has been outsourced, including the installation and provisioning of employees workstations, with the result that these administrative passwords are controlled by third parties.
How often, for example, are users forgetting passwords and asking for IT support to help them reset, and then carrying on doing their work totally oblivious that their every action is now vulnerable to being monitored?
Anyone with administrative access to a workstation is able to easily access the user’s email and contacts. They can retrieve any file that the end user is working on, and since office documents set up local temporary files, when the user opens a file, it can be accessed by the intruder. Additionally access is gained to end-user favourites, and cookies which can include passwords that are entered on website.
Apart from simply “watching you”, the intruder can replace programs so that now your email is being forwarded to the intruders machine, your word processing application is now key-logging, so recording your every entry. And we’re only getting started. For example a first step can be to create a new local account on this machine, with administrative rights, so when someone, sometime will replace the administrator password, there is already a back-door, with administrative rights.
Now you may be reading this and saying “this is just a re-hash of commonly known hacking risks”, and you would be right. But in this case the risk is not the outsider but the insider who is trusted and whose job it is to actually look after your workstation and administer the network. And whether this is being done from your office or from somewhere on the other side of the world by some invisible outsourced employee, the unsuspecting Financial Officer, Auditor, Payroll clerk, etc., are oblivious to what is happening.
So what steps should you be taking? Well very simply – every single shared identity from the workstation to the database must be protected and changed on a regular basis. Access to a shared account must be logged so that the individual who requires a particular password should be required to provide a reason, and this request should be authorized – dual control.
Each and every administrative/shared/privileged password should be unique. The practice of accepting the same administrative password on every workstation should be discontinued, since having access to the clerk’s password means access to the CEOs machine.
Administrative passwords must be changed on a regular basis, including workstations. This process can be completely automated, which adds the benefit that specific individuals are not aware of passwords until such time as they need them.
Audit logging of every access or request for a password is essential, and this must be done in a manner that it provides non-repudiation for external auditors. In other words can you prove that you are doing this and policies are being adhered to? Can you identify the individual who last had access to any system or application?
Is this paranoia? No – paranoia is wondering everyday if someone is looking over your shoulder. This is simply common sense advice to any enterprise that values its confidentiality, and is not in the business of unnecessary risk. If you value your business, then you should not be wondering if your assets are protected.
The figures showing a decrease of 83% in burglaries in Cleveland, identified that the decrease was a direct result of people taking the advice of the police about proper security measures. In the IT world 70%-80% of IT theft (hacking) occurs from within. It’s time to you took proper security measures. Peace of mind doesn’t have to cost very much, and its certainly a great feeling.