It's Been a Privilege

Managing passwords now can help lead to less audit headaches later

• By Calum McLeod
• Feb 02, 2007

ONE of today's biggest IT headaches is managing privileged passwords, the super-powerful codes such as administrator on a Windows® server, Root on a UNIX server, Cisco Enable on a Cisco device, as well as embedded passwords found in applications and scripts. If privileged passwords are not properly managed and secured, it leaves critical applications and data vulnerable to deliberate or inadvertent misuse, breaches and data theft. In fact, up to 70 percent of system breaches are caused by internal users, privileged administrators and power users who accidentally or deliberately damage IT systems or release confidential data assets. Even more disturbing, a recent survey shows most enterprises have more passwords for privileged accounts than for people.

As companies continue to leave a multitude of privileged passwords unchecked, it is inadvertently creating a critical security risk that enterprises can no longer ignore and must address. For this reason, privileged accounts are under increasing scrutiny by internal and external auditors. And the inability to safeguard the use of administrative or privileged passwords is becoming one key reason many organizations fail compliance audits.

How to Pass
Privileged password management should be a basic tenant of IT security best practices, regardless of where an organization is or what products and services it offers. So how can users quickly get privileged passwords under control? Here are six steps successful organizations need to take when entering the area.

Count your privileged passwords. This is a simple step, but one that's often overlooked. For example, one Fortune 100-sized company found each of its 300 Oracle databases had about 30 pre-defined accounts, including SYS, SYSTEM, DBSNMP, CTXSYS, MDSYS, WMSYS and XDB. This quickly added up to 9,000 privileged passwords on Oracle alone. The best way to start managing privileged passwords is to create a checklist of operating systems, databases, appliances, routers, servers, directories and applications throughout the enterprise. Each target system typically has between one and five privileged accounts. Add them up, and determine which area poses the greatest risk. With this data in hand, users can easily create a plan to secure, manage, automatically change and log all privileged passwords.

Personalize who has privileged or super-user access. Auditors require that enterprises prove which individual identity, such as Jane Doe, accessed a shared privileged account such as UNIX root user. How can you accomplish this task? The most straightforward method is to centralize all privileged passwords into one spot. However, once all the most powerful passwords are in one place, it should be the most secure area in your organization. By the end of step two, make sure password storage is well-protected.

All inactive accounts should be disabled after 60 days and deleted after 90 days. This control is critical in large organizations, which can have hundreds of people coming and going every few months. Meanwhile, the complexities of the HR process can make it hard to delete inactive accounts from an active directory environment. Throw in weak password policies, and you have the makings of substantial risk from inactive accounts.

Make sure that passwords expire regularly. Most organizations will apply a password-expiration policy for general users, but frequently privileged users and administrators who are responsible for management will exclude the privileged accounts from this process. A common issue found by auditors is that administrators exclude themselves from the password expiration cycle by selecting the "Password Never Expires" flag. Be sure to avoid this trap and change privileged passwords per company policy.

Don't forget embedded accounts. One aspect frequently overlooked is the embedded account and individuals who have access to it. There are probably hundreds, if not thousands, of embedded accounts in most organizations. These passwords are hard-coded in applications that require access to databases or other information sources. Since the application is incapable of working with an identity management system or an authentication system that requires interaction with the host system, the account credentials are embedded in the application code. Remember to include these accounts in a privileged password list.

Automate, automate, automate. Wherever possible, automate all of the above processes. One of the problem areas in IT is that it is virtually impossible to anticipate details required for an audit, such as what systems and privileged users will be examined and what period of time. Trying to compile the information manually increases time required and likelihood of error. This, in turn, can result in a control risk and will only extend the auditing process. The end result is increased costs associated with an audit and additional costs of meeting compliance requirements.

Successful and Non-Time-Consuming Audit
In today's environment, it's not a question of if the issue of privileged passwords will cross the IT doorstep, only when. If you are prepared with a comprehensive assessment of password liability, a solid policy for controlling privileged passwords and a reasonable plan for implementing a management system, then you can leave your aspirin in the bottle?managing privileged passwords will be one IT headache you'll miss.