It's Been a Privilege
Managing passwords now can help lead to less audit headaches later
- By Calum McLeod
- Feb 02, 2007
ONE of today's biggest IT headaches is managing privileged
passwords, the super-powerful codes such as administrator on a Windows®
server, Root on a UNIX server, Cisco Enable on a Cisco device, as well
as embedded passwords found in applications and scripts. If privileged
passwords are not properly managed and secured, it leaves critical
applications and data vulnerable to deliberate or inadvertent misuse,
breaches and data theft. In fact, up to 70 percent of system breaches
are caused by internal users, privileged administrators and power users
who accidentally or deliberately damage IT systems or release
confidential data assets. Even more disturbing, a recent survey shows
most enterprises have more passwords for privileged accounts than for
people.
As companies continue to leave a multitude of privileged passwords
unchecked, it is inadvertently creating a critical security risk that
enterprises can no longer ignore and must address. For this reason,
privileged accounts are under increasing scrutiny by internal and
external auditors. And the inability to safeguard the use of
administrative or privileged passwords is becoming one key reason many
organizations fail compliance audits.
How to Pass
Privileged password management should be a basic tenant of IT
security best practices, regardless of where an organization is or what
products and services it offers. So how can users quickly get
privileged passwords under control? Here are six steps successful
organizations need to take when entering the area.
Count your privileged passwords. This is a simple step, but
one that's often overlooked. For example, one Fortune 100-sized company
found each of its 300 Oracle databases had about 30 pre-defined
accounts, including SYS, SYSTEM, DBSNMP, CTXSYS, MDSYS, WMSYS and XDB.
This quickly added up to 9,000 privileged passwords on Oracle alone.
The best way to start managing privileged passwords is to create a
checklist of operating systems, databases, appliances, routers,
servers, directories and applications throughout the enterprise. Each
target system typically has between one and five privileged accounts.
Add them up, and determine which area poses the greatest risk. With
this data in hand, users can easily create a plan to secure, manage,
automatically change and log all privileged passwords.
Personalize who has privileged or super-user access. Auditors
require that enterprises prove which individual identity, such as Jane
Doe, accessed a shared privileged account such as UNIX root user. How
can you accomplish this task? The most straightforward method is to
centralize all privileged passwords into one spot. However, once all
the most powerful passwords are in one place, it should be the most
secure area in your organization. By the end of step two, make sure
password storage is well-protected.
All inactive accounts should be disabled after 60 days and deleted after 90 days.
This control is critical in large organizations, which can have
hundreds of people coming and going every few months. Meanwhile, the
complexities of the HR process can make it hard to delete inactive
accounts from an active directory environment. Throw in weak password
policies, and you have the makings of substantial risk from inactive
accounts.
Make sure that passwords expire regularly. Most organizations
will apply a password-expiration policy for general users, but
frequently privileged users and administrators who are responsible for
management will exclude the privileged accounts from this process. A
common issue found by auditors is that administrators exclude
themselves from the password expiration cycle by selecting the
"Password Never Expires" flag. Be sure to avoid this trap and change
privileged passwords per company policy.
Don't forget embedded accounts. One aspect frequently
overlooked is the embedded account and individuals who have access to
it. There are probably hundreds, if not thousands, of embedded accounts
in most organizations. These passwords are hard-coded in applications
that require access to databases or other information sources. Since
the application is incapable of working with an identity management
system or an authentication system that requires interaction with the
host system, the account credentials are embedded in the application
code. Remember to include these accounts in a privileged password list.
Automate, automate, automate. Wherever possible, automate all
of the above processes. One of the problem areas in IT is that it is
virtually impossible to anticipate details required for an audit, such
as what systems and privileged users will be examined and what period
of time. Trying to compile the information manually increases time
required and likelihood of error. This, in turn, can result in a
control risk and will only extend the auditing process. The end result
is increased costs associated with an audit and additional costs of
meeting compliance requirements.
Successful and Non-Time-Consuming Audit
In today's environment, it's not a question of if the issue of
privileged passwords will cross the IT doorstep, only when. If you are
prepared with a comprehensive assessment of password liability, a solid
policy for controlling privileged passwords and a reasonable plan for
implementing a management system, then you can leave your aspirin in
the bottle?managing privileged passwords will be one IT headache you'll
miss.
This article originally appeared in the February 2007 issue of Security Products, pg. 30.