"The database administrator is gone, and he took our passwords with him,” the client told internal audit. “What do we do?”
It was a nightmare scenario for the oil and gas company. The IT department used a password manager to store hundreds of system, database, and service account administrative passwords. It did not know that the software could mass-export an unencrypted list of usernames and passwords. Now that vital list was in the hands of a former employee.
Individuals and organizations have flocked to password managers for a secure and convenient method to use passwords to access online services. Yet, despite their benefits, these tools raise security concerns for internal auditors.
A password manager stores account usernames, passwords, credit card numbers, and other sensitive information. Various types of password managers accomplish different goals, and some work better than others.
Personal Password managers intended for personal use allow the user to create one master password and encrypt the entire password vault storing the user’s various usernames and passwords. The user only has to remember the master password to use the password vault.
Team This type of password manager enables a department to share corporate account passwords among staff members. Using a tool to share login information is more secure than sticky notes, email, or a spreadsheet of usernames and passwords. Each user has an account that grants that person access to the stored credentials within the team password manager.
Personal and team pass-word managers can automatically populate account information when the user accesses a sign-in web page. Alternatively, the user can copy and paste it into the login fields of a web page.
Enterprise Often referred to as privileged access management, enterprise password managers are robust, customizable solutions that provide powerful functionality. These tools can automatically change passwords based on timed rotations or after each use of the account. Their monitoring and audit logging capabilities can record who accessed a privileged account, when, and why.
Password managers have two significant security risks. First, when the password manager is locked, the master password exists in the computer’s memory outside of the tool’s encryption in a plain text, readable format. An intruder could access this master password and expose the other passwords.
Second, password managers can mass-export passwords into a text file, which makes it easy to move passwords using an unencrypted USB drive. In the wrong hands, a password list can provide access to an organization’s environment.
Internal auditors can help organizations mitigate these risks by helping IT weigh password manager options to balance a right-sized functionality for the organization with managing the related risk. Enterprise password managers are the most secure solution because they change passwords frequently. However, the tools are expensive because of the need for fit, IT or cybersecurity specialists, and architecture, and the cost may outweigh the benefits. Depending on the number of accounts that need to be managed, budget-minded organizations may opt for a team password manager.
If the organization chooses a personal or team password manager, internal auditors should provide advice on how to secure it. The organization should consider the tool’s maintenance schedule, security features, and access structure.
Apply Security Updates and Patches Organizations should check and frequently update software and patches to ensure they are current. When risks are identified, software fixes are the best way to stay protected against security flaws.
Check Security Features and Configurations Security features only work if they are used correctly. Auditors should check which security options are available and ensure that the organization has implemented controls such as:
- Validate that the password manager uses encryption. Also, verify that it is a legitimate tool and not a fake password manager.
- Configure appropriate password controls, such as minimum length and complexity. The organization should use multifactor authentication, if the tool supports it.
- Disable users’ ability to mass-export passwords to plain text, if possible.
- Enable logging. Some tools log whether anyone performs a mass export of usernames and passwords.
Restrict Administrator Access Users with administrative access can view every password within the tool or modify the security configurations. Therefore, organizations should strictly limit the number of employees with administrative access.
Implement Role-based Security Most password managers can limit users’ password access to specific accounts or folders. Organizations should take the approach of least privilege by only granting an employee access to a password as needed.
Review Password Sharing With External Users Some password managers support password sharing with external users, while others allow for external sharing of specific credentials. A downside of this practice is that outside parties could gain unauthorized access to the organization’s data and systems. Auditors should review all the shared passwords in the password manager system, determine which passwords can be shared with users outside of the organization, and find out whether the password manager logs password sharing.
Consider Business Continuity For business continuity purposes, password managers for shared accounts are able to ensure that the keys to an important account are not in the hands of just one person. Tools that store account data in the cloud support business continuity by enabling businesses to access stored passwords during an outage.
If the tool is hosted on-site, the organization should consider how account information can be accessed remotely for business continuity. This requires a backup plan such as exporting all passwords to an external file. However, if the organization does this, it should have appropriate management approval, strictly limit access to the external file, and store the file on an encrypted device.
When a Breach Occurs
If internal auditors receive a call from IT, concerned that former employees have access to stored passwords, there are ways they can help the organization respond.
First, lock all the doors. If all passwords were exported, auditors should assume all passwords are compromised. The best approach is to change all breached passwords. However, system and service accounts often are linked to background processes, so changing the password could cause crashes or outages. If auditors encounter this situation, they should advise IT to restrict virtual private network access and deny interactive login for those accounts.
Next, call for help — twice. The first call should be to IT and compliance professionals who can help identify potential exposures and related risks. The next call should be to a trusted security firm to execute attack and penetration scenarios aimed at validating whether the organization has addressed critical exposures.
Despite the potential threats, the benefits of password managers greatly outweigh the relative risks. With appropriate oversight and controls, those risk levels can be even lower.