iTnews

Six simple steps to managing privileged passwords

By Calum MacLeod, on Mar 13, 2007 4:00PM
Six simple steps to managing privileged passwords

One of today's biggest IT headaches is managing privileged passwords, the super-powerful codes such as administrator on a Windows server, Root on a UNIX server, Cisco Enable on a Cisco device, as well as embedded passwords found in applications and scripts.

If privileged passwords are not properly managed and secured, it leaves critical applications and the data they contain vulnerable to deliberate or inadvertent misuse, breaches and data theft.

In fact, up to 70 percent of system breaches are caused by internal users, and in particular, privileged administrators and power users who accidentally or deliberately damage IT systems or release confidential data assets. To make your temples throb even more, a recent survey showed that most enterprises have more passwords for privileged accounts than for individuals (Source: Cyber-Ark Privileged Password Survey 2006.)

As companies continue to leave a multitude of privileged passwords unchecked, they are inadvertently creating a critical security risk that enterprises can no longer ignore and must address. For this reason, privileged accounts are under increasing scrutiny by internal and external auditors, and the inability to safeguard the use of administrative or privileged passwords is becoming one of the key reasons that many organizations fail compliance audits.

Privileged password management should be a basic tenet of IT security best practices, regardless of where an organization is or what products and services it offers. So how can you get privileged passwords under control, fast?

I work for a software company that specializes in managing privileged passwords, and here are the top six steps I see successful organizations take when they enter this area.

1. Count your privileged passwords
This is a simple step, but one that’s often overlooked. For example, one Fortune 100-sized company found that each of their 300 Oracle databases had about 30 pre-defined accounts, including SYS, SYSTEM, DBSNMP, CTXSYS, MDSYS, WMSYS and XDB. This quickly added up to 9,000 privileged passwords on Oracle alone! The best way to start managing privileged passwords is to create a checklist of operating systems, databases, appliances, routers, servers, directories, and applications throughout your enterprise. Each target system typically has between one and five privileged accounts. Add them up and determine which area poses the greatest risk. With this data in hand, you can easily create a plan to secure, manage and automatically change and log all privileged passwords.

2. Personalize who has privileged or super user access
Auditors require that enterprises prove which individual identity, such as Jane Doe, accessed a shared privileged account, such as UNIX root user.

How can you accomplish this task? The most straightforward method is to centralise all your privileged passwords into one spot. However, once you have all your most powerful passwords in one place, it should be the most secure area in your organization. By the end of step two, make sure your password storage is well-protected.

3. All inactive accounts should be disabled after 60 days and deleted after 90 days.
This control is critical in large organisations, which can have hundreds of people coming and going every few months.

Meanwhile, the complexities of the human resources process can make it hard to delete inactive accounts from an Active Directory environment. Throw in weak password policies and you have the makings of substantial risk from inactive accounts.

4. Make sure that passwords expire regularly
Most organisations will apply a password expiration policy for general users, but frequently privileged users and administrators who are responsible for management will exclude the privileged accounts from this process.

A common issue found by auditors is that administrators exclude themselves from the password expiration cycle, by selecting the "Password Never Expires" flag. Be sure to avoid this trap and change privileged passwords per company policy.

5. Don’t forget embedded accounts
One aspect that can frequently be overlooked is the embedded account, and the individuals who have access to this account. There are probably hundreds, if not thousands, of embedded accounts in most organisations.

These passwords are hard-coded in applications that require access to databases or other information sources. Since the application is incapable of working with an identity management system or an authentication system that requires interaction with the host system, the account credentials are embedded in the application code. Remember to include these accounts in your privileged password list.

6. Automate, automate, automate
Wherever possible, automate all of the above processes. One of the problem areas in IT is that it is virtually impossible to anticipate the details required for an audit, such as what systems and privileged users will be examined, what period of time, etc.

Trying to compile this manually increases the time required and the likelihood of error. This in turn can result in a control risk, and will only extend the auditing process. The end result is increased costs associated with an audit, and additional costs of meeting the compliance requirements. The goal: A successful and non-time-consuming audit

In today’s environment, it’s not a question of if the issue of privileged passwords will cross the IT doorstep, only when.

If you are prepared with a comprehensive assessment of your password liability, a solid policy for controlling privileged passwords, and a reasonable plan for implementing a management system, then I feel confident you can leave your aspirin in the bottle. Managing privileged passwords will be one IT headache you’ll miss!

Calum MacLeod is European Director of Cyber-Ark
Got a news tip for our journalists? Share it with us anonymously here.
Tags:
managing passwords privileged security simple six steps to
In Partnership With
By Calum MacLeod,
Mar 13 2007
4:00PM
0 Comments

Related Articles

  • Bots hit up Australian Red Cross 900 times for bushfire donations
  • RangeAmp attacks turn CDNs into giant DoS cannons
  • Latvia to launch Google-Apple friendly coronavirus contact tracing app
  • UK plans cut in Huawei's 5G network involvement - newspaper report
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Centrelink loses welfare payments overhaul chief

Centrelink loses welfare payments overhaul chief
Key EDS witness bought internet degree

Key EDS witness bought internet degree
ACCC questions consumer need for higher-priced 100Mbps NBN services

ACCC questions consumer need for higher-priced 100Mbps NBN services
Toll Group may have lost over 200GB of data in ransomware attack

Toll Group may have lost over 200GB of data in ransomware attack
You must be a registered member of iTnews to post a comment.
Log In | Register

Whitepapers from our sponsors

Why is DevSecOps important to your business?
Why is DevSecOps important to your business?
Architecting Hybrid IT & Edge for Digital Advantage
Architecting Hybrid IT & Edge for Digital Advantage
TechTarget: Organizations Increasing Their Adoption of NFV
TechTarget: Organizations Increasing Their Adoption of NFV
Modernise IT by Reducing Your Reliance on AD
Modernise IT by Reducing Your Reliance on AD
The Maturity of Zero Trust in Australia and New Zealand
The Maturity of Zero Trust in Australia and New Zealand

Events

  • University Strategic Planning and Resource Management Summit 2020
  • Shure IntelliMix (Part 3): It’s not me, It’s you!
  • Shure IntelliMix (Part 4): Discussion or Pub Brawl?
  • FREE Online Event: Cyber Sercurity in the Age of Covid-19
  • 3rd Enterprise Architecture Summit 2020
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.