Privileged and administrative passwords are used by IT folks for the care and feeding of devices and systems in the enterprise network. The problem is that these super-duper passwords are very powerful, and IT workers are not necessarily more honest or careful than non-IT folks.
Such passwords can cause big problems. It's not clear if the man cited in this Marion Chronicle Tribune story is guilty of anything. Indeed, he has not even been charged. What the story -- which focuses on computers used by the Grant County, Indiana, assessor's office -- makes clear is that organizations are inviting trouble if they don't carefully tend to their administrative/privileged passwords.
Privileged/administrative password vulnerability is closely linked with insider threats. The beginning of this Help Net Security feature offers several examples of recently terminated IT individuals who used their privileged passwords to cause havoc for their former employer. Indeed, the damage caused by one disgruntled (that word has to be used in such a story) ex-employee required a whopping 1,800 man hours to fix. There are other good tip sheets available, such as this one from Security Products.
The Help Net piece provides a starting point to safe deployment and management of privileged passwords. The author suggests creating a comprehensive list of the privileged passwords in an organization, organizing these passwords in a way that prevents users from hiding their identities, changing the passwords on a regular basis, storing the passwords securely, deploying them gradually, and paying attention to passwords used in machine-to-machine communications.
Organizations that focus too closely on the security issue du jour can lose track of vulnerabilities that exist under the radar. Poorly managed and administered privileged passwords are one of these threats. Smart organizations should take note and make sure that their privileged users indeed deserve the privileges. There is is a lot of work yet to be done.