The NSA scandal involving Edward Snowden’s abuse of account passwords has raised major concerns around the risk posed by privileged insiders. Recently, the notoriously secretive Coca-Cola company suffered a high-profile data breach, which brings into question how often password theft and abuse occur unnoticed. Many organizations are now wondering how they can avoid the same risk from their own IT administrators and contractors who often have unfettered access to the keys to the IT kingdom: privileged IT passwords.
One area that continues to be vulnerable is the unmanaged privileged account. Privileged passwords are created and used by trusted IT administrators to maintain servers, configure services, and install new software or devices. These accounts are a constant risk, both from external hackers and curious or disgruntled insiders.
There are a number of common mistakes that IT administrators make when safeguarding privileged account passwords, but many can be easily avoided. Thycotic Software, a provider of privileged account management solutions for global organizations, has compiled a list of the “deadly sins” of privileged password management and tips for how IT administrators can keep their accounts secure.
Click through for the seven deadly sins of privileged account management, as identified by Thycotic Software.
Using the same password for multiple accounts
Most people know they should use a different password for each account, but the difficulty remembering complex passwords often causes them to use a single, standard password for all their accounts. Hackers rely on password reuse to get “all for the price of one” account access. With a user’s default password, they can potentially access every account or service used by that individual. By making it a common practice to use different passwords for every account, administrators can limit their organization’s vulnerability in the event of an exposed password. Tools are also available to automatically generate (and help you easily remember) strong, random passwords that are much more secure.
Not changing passwords on a regular basis
Passwords can be broken with time and freely downloadable tools for pass the hash or brute force attacks. The longer a password is in use, the longer a hacker has to, well, hack it. Ideally, passwords should be randomly generated, making full use of the character sets and limits available, as well as changed regularly for end-user, admin, application and service accounts. Mission-critical equipment and anything with domain administrator access should have its passwords changed automatically after each login.
Sharing passwords with more than one user at a time
Allowing more than one user to know the password to a privileged account increases the risk for malicious action. For example, imagine one of those employees leaves the company. It would be impossible to know if the current or previous employee is using the password. Now, say “deadly sin” #1 is also an issue: that password enables access to multiple accounts. Not only would the company not know who is using the password, but they wouldn’t know exactly what is being accessed. By making passwords available to only one user at any given time, determining true accountability in the event of a breach becomes much more straightforward.
Ignoring account credentials for employees who have left the organization
When companies lose IT employees or are forced to downsize, data security can be a big liability. Part of any employee exit procedure should include immediate revocation of account credentials. This is more than simply changing Active Directory passwords. It should include credential access for any applications, systems and services they used during employment. Even when leaving on good terms, ex-employees still have the potential to undermine an organization’s security. By changing all vulnerable passwords immediately, organizations can gain peace of mind that their data is still secure, even in the face of high employee turnover.
Using weak, non-random passwords
Many users continue to believe that simply adding numbers or special characters to an otherwise unimaginative password can make it unique enough to fool cybercriminals. This is definitely not the case. In order to increase password security, users should find the maximum length and character set options for a platform and use a random password generator to create a truly unique password that is much more difficult to break, even by brute force attacks.
Storing passwords in a non-secure location
In lieu of using one password for all accounts, some users keep track of credentials manually, using Excel spreadsheets or, worse, sticky notes on their desks or PCs. Spreadsheets can be encrypted and password protected, but anyone with access to the spreadsheet can still see all of the network passwords, making it impossible to know who is accessing each network device. Passwords should always be stored somewhere securely, where user access can be controlled, monitored and restricted. Using an enterprise password management tool with strong encryption, granular permissions and full auditing simplifies the process and provides additional security.
Losing track of service account passwords and where they are used
Service account passwords are often used by many different applications, like automatic backups and other tools that require network access for day-to-day functionality. Service account credentials have broad access across the network, so need to be changed on a regular basis. Unfortunately, they are used in so many places on a network that they are often purposefully ignored by IT administrators – many admins are afraid that if they change the password, a host of other applications will break, with the potential of causing serious downtime. To effectively protect service accounts, IT admins need a tool that can detect all of the applications dependent on each service account and automatically update credentials without downtime. Instituting a process for service account management can reduce the risk of attack while avoiding service outages due to mismanaged accounts.