iTnews
  • Home
  • Features
  • Technology
  • Security

Six simple steps to managing privileged passwords

By Calum MacLeod, on Mar 13, 2007 4:00PM
Six simple steps to managing privileged passwords

One of today's biggest IT headaches is managing privileged passwords, the super-powerful codes such as administrator on a Windows server, Root on a UNIX server, Cisco Enable on a Cisco device, as well as embedded passwords found in applications and scripts.

If privileged passwords are not properly managed and secured, it leaves critical applications and the data they contain vulnerable to deliberate or inadvertent misuse, breaches and data theft.

In fact, up to 70 percent of system breaches are caused by internal users, and in particular, privileged administrators and power users who accidentally or deliberately damage IT systems or release confidential data assets. To make your temples throb even more, a recent survey showed that most enterprises have more passwords for privileged accounts than for individuals (Source: Cyber-Ark Privileged Password Survey 2006.)

As companies continue to leave a multitude of privileged passwords unchecked, they are inadvertently creating a critical security risk that enterprises can no longer ignore and must address. For this reason, privileged accounts are under increasing scrutiny by internal and external auditors, and the inability to safeguard the use of administrative or privileged passwords is becoming one of the key reasons that many organizations fail compliance audits.

Privileged password management should be a basic tenet of IT security best practices, regardless of where an organization is or what products and services it offers. So how can you get privileged passwords under control, fast?

I work for a software company that specializes in managing privileged passwords, and here are the top six steps I see successful organizations take when they enter this area.

1. Count your privileged passwords
This is a simple step, but one that’s often overlooked. For example, one Fortune 100-sized company found that each of their 300 Oracle databases had about 30 pre-defined accounts, including SYS, SYSTEM, DBSNMP, CTXSYS, MDSYS, WMSYS and XDB. This quickly added up to 9,000 privileged passwords on Oracle alone! The best way to start managing privileged passwords is to create a checklist of operating systems, databases, appliances, routers, servers, directories, and applications throughout your enterprise. Each target system typically has between one and five privileged accounts. Add them up and determine which area poses the greatest risk. With this data in hand, you can easily create a plan to secure, manage and automatically change and log all privileged passwords.

2. Personalize who has privileged or super user access
Auditors require that enterprises prove which individual identity, such as Jane Doe, accessed a shared privileged account, such as UNIX root user.

How can you accomplish this task? The most straightforward method is to centralise all your privileged passwords into one spot. However, once you have all your most powerful passwords in one place, it should be the most secure area in your organization. By the end of step two, make sure your password storage is well-protected.

3. All inactive accounts should be disabled after 60 days and deleted after 90 days.
This control is critical in large organisations, which can have hundreds of people coming and going every few months.

Meanwhile, the complexities of the human resources process can make it hard to delete inactive accounts from an Active Directory environment. Throw in weak password policies and you have the makings of substantial risk from inactive accounts.

4. Make sure that passwords expire regularly
Most organisations will apply a password expiration policy for general users, but frequently privileged users and administrators who are responsible for management will exclude the privileged accounts from this process.

A common issue found by auditors is that administrators exclude themselves from the password expiration cycle, by selecting the "Password Never Expires" flag. Be sure to avoid this trap and change privileged passwords per company policy.

5. Don’t forget embedded accounts
One aspect that can frequently be overlooked is the embedded account, and the individuals who have access to this account. There are probably hundreds, if not thousands, of embedded accounts in most organisations.

These passwords are hard-coded in applications that require access to databases or other information sources. Since the application is incapable of working with an identity management system or an authentication system that requires interaction with the host system, the account credentials are embedded in the application code. Remember to include these accounts in your privileged password list.

6. Automate, automate, automate
Wherever possible, automate all of the above processes. One of the problem areas in IT is that it is virtually impossible to anticipate the details required for an audit, such as what systems and privileged users will be examined, what period of time, etc.

Trying to compile this manually increases the time required and the likelihood of error. This in turn can result in a control risk, and will only extend the auditing process. The end result is increased costs associated with an audit, and additional costs of meeting the compliance requirements. The goal: A successful and non-time-consuming audit

In today’s environment, it’s not a question of if the issue of privileged passwords will cross the IT doorstep, only when.

If you are prepared with a comprehensive assessment of your password liability, a solid policy for controlling privileged passwords, and a reasonable plan for implementing a management system, then I feel confident you can leave your aspirin in the bottle. Managing privileged passwords will be one IT headache you’ll miss!

Calum MacLeod is European Director of Cyber-Ark
Got a news tip for our journalists? Share it with us anonymously here.
Tags:
managingpasswordsprivilegedsecuritysimplesixstepsto

Partner Content

"We're seeing some good policy put in place, but that's the exception"
Partner Content "We're seeing some good policy put in place, but that's the exception"
The Great Resignation has intensified insider security threats
Promoted Content The Great Resignation has intensified insider security threats
Security: Understanding the fundamentals of governance, risk & compliance
Promoted Content Security: Understanding the fundamentals of governance, risk & compliance
Why Genworth Australia embraced low-code software development
Promoted Content Why Genworth Australia embraced low-code software development

Sponsored Whitepapers

Extracting the value of data using Unified Observability
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership

Events

  • Micro Focus Information Management & Governance (IM&G) Forum 2022
  • CRN Channel Meets: CyberSecurity Live Event
  • IoT Insights: Secure By Design for manufacturing
  • Cyber Security for Government Summit
By Calum MacLeod,
Mar 13 2007
4:00PM
0 Comments

Related Articles

  • Microsoft readies passwordless logins
  • Carnival fined US$5m for cyber security violations
  • Qld gov proposes mandatory data breach reporting for agencies
  • Critical Splunk bug propagates code execution
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Qantas calls time on IBM, Fujitsu in tech modernisation

Qantas calls time on IBM, Fujitsu in tech modernisation
Service NSW hits digital services goal two years early

Service NSW hits digital services goal two years early
SA Police ignores Adelaide council plea for facial recognition ban on CCTV

SA Police ignores Adelaide council plea for facial recognition ban on CCTV
NBN Co says TPG tie-up could help Telstra sidestep spectrum limits

NBN Co says TPG tie-up could help Telstra sidestep spectrum limits

Digital Nation

Crypto experts optimistic about future of Bitcoin: Block
Crypto experts optimistic about future of Bitcoin: Block
COVER STORY: Operationalising net zero through the power of IoT
COVER STORY: Operationalising net zero through the power of IoT
The security threat of quantum computing
The security threat of quantum computing
IBM global chief data officer on the rise of the number crunchers
IBM global chief data officer on the rise of the number crunchers
Integrity, ethics and board decisions in the digital age
Integrity, ethics and board decisions in the digital age
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.