You are probably sick and tired of your IT team banging on about changing your passwords regularly, but there is no one to chase the IT team to change their own privileged passwords (admin, root and such). We assume they follow their own advice but ironically, the majority (55%) of IT professionals make end users change their passwords more often than they change administrative credentials. This is according to a survey of almost 200 IT professionals at RSA Conference 2016 by Lieberman Software.
That figure is not surprising. Without an automated solution to manage all the privileged credentials that exist in large networks, it’s not uncommon for administrative passwords to be rarely updated in many organisations. Admittedly, it’s difficult for IT staff to keep track of all their admin passwords, but this gets even more complicated when you’re expected to know every place where the credentials are used – and what might break when they’re updated. However, because of the sensitive systems that these credentials protect, frequent privileged password changes are essential for good security.
So just how often are privileged credentials changed? Shockingly, never, according to 10% of respondents who were brave enough to admit this. Fortunately, 74% change administrative passwords on at least a monthly basis, which is much better as most regulatory compliance regulations require organisations to change privileged credentials every 30 days minimally.
Although, even a 30 day password update rate may not be frequent enough when you consider that cyber intruders and malicious insiders look for passwords that let them jump from system to system on a network until they find what they want. How much damage can they do in that time before their stolen credentials are invalidated?
Meanwhile, the gold star goes to only 1% of those that change their administrative passwords daily, according to the survey.
The Threats Behind Privileged Passwords
So what exactly are the potential problems that could arise if privileged credentials area not looked after properly? Well, when an employee leaves a job, there’s typically a standard set of practices that are followed; checking in physical keys and equipment, transitioning documents and contacts to other employees, and so on. But 15% of respondents said that if they left their organisation they could still access their admin credentials remotely. This is a huge potential threat as they often know the password secrets that let them log in to systems and applications on the network.
If privileged credentials aren’t continuously changed, thus shutting off former employees’ log ins, odds are these ex-employees can still gain administrative access long after their employment ends. Every company must have a procedure in place for changing all passwords and revoking access as soon as someone leaves the company.
But how secure are the privileged credentials of current employees? As it turns out, 36% of respondents share administrative passwords within their IT groups. Believe it or not, this is a common IT administration practice. IT pros are busy people, balancing their daily administration tasks with unexpected emergency repairs. So, looking to simplify matters, systems administrators often re-use the same password across many systems and share this password with other IT administrators.
Yet, if a hacker or malicious insider gets hold of this shared password, they’ve just gained access to systems around the network. We have to start asking ourselves if the convenience of sharing passwords is really worth it? Or is there a better way to deal with the problem of administrative passwords? And what is the best way to mitigate the risk?
There are three steps that businesses can take to protect themselves from the burden of passwords:
- As this survey highlights, we need to train staff, especially staff that has administrative rights, that they won’t have access to the power to do harm all the time without a gate. They will still be able to do everything they did before, but there will be an extra step. They can think of it as scanning their badge before they walk into the server room. Now they will scan their virtual badge before they can walk into a secure library where all the rights are stored. They can check out the power they need, everyone will be able to see who has it checked out, and then it will get checked back in where they’re done. It’s a small change, but it makes a big difference.
- When a password is checked out, we would change the security for that password when it gets checked back in or when the checkout expires. However, if that’s the only time we rotate that security that means the bad guys can get in through an email and start collecting rights to use later. But, if a program is in place to aggressively rotate admin rights and credentials all the time, even when they’re not in use, then the bad guys get the rug pulled out from under them.
- Now that we have this power to control rights and privileges we should hook it up to our other security systems to make sure everything is working in a healthy, closed loop process. If you have analytics and logging solutions looking at all the security event data to find patterns, then you would surely want to throw in all the data about who has legitimate privilege. That leads to simple correlations – like an action that takes place using a privileged identity that was not currently checked out to any authorised user is suspicious. If you have solutions that are detecting malware and other incidents as they happen, you can automate a privileged response in near real-time with no operational impact.
If businesses automate privileged password management and follow the steps above they will be in a much better position to fight off cybercriminals who attempt to leap over network defences and move around laterally within an organisation’s systems.
For more information on these and other findings (including how many respondents say they’re prepared for a cyber attack) see http://go.liebsoft.com/rsa-conference-2016-survey.
