In many companies, one of the greatest threats to IT security is the lack of controls around privileged accounts. This was portrayed in a March 2007 study (PDF) conducted by Carnegie Mellon University's Software Engineering Institute, which found that IT insiders commonly acquire and maintain powerful system access even after termination by using privileged account information, such as pre-built administrative IDs (i.e., username and password combinations) and embedded passwords that connect applications. The study showed that in many of the organizations surveyed, system administrators were able to create backdoor accounts with administrator privileges. Because these organizations did not conduct ongoing audits that would have detected the presence of these rogue accounts, administrators used the accounts to execute attacks after their termination. What's more, of the 49 cases studied, 81 percent of the organizations that were attacked experienced a negative financial impact with losses ranging from US $500 to tens of millions of dollars.
As this study demonstrates, the need for strong security controls around privileged data can help organizations protect their IT assets more effectively and avoid the negative financial impact such breaches create. As part of their work, internal auditors can recommend that organizations follow the six best practices below. These steps can be used by any organization to enhance the protection of privileged account information and keep any threats to sensitive data from turning into a security breach nightmare.
Privileged accounts are used by system administrators to modify system data or files, perform special application and database functions, or create user accounts. Given the increased government and industry scrutiny on data protection, the need for effective security measures that meet regulatory requirements and protect privileged account information is needed now more than ever. The next sections describe six steps that can be used as minimum requirements when creating security policies and procedures that protect important IT assets from any kind of security threat.
1. Create an Inventory of Privileged Passwords
Privileged passwords, which are used to have access to administrative account information and to perform system administrator functions, exist in virtually every device or software application in an organization. Many companies begin the process of securing their privileged passwords by talking an inventory of how many exist and how often they are updated. In this effort, it is important to note that privileged passwords can reside in many places, including:
- Administrative accounts that are shared by multiple IT professionals and that come predefined by the manufacturer, including UNIX root accounts, Cisco's enable mode, and Windows administrator accounts.
- General shared administrative accounts, such as those found in applications used by the IT help desk and operations department, or during emergency and fire-call activities.
- Hard-coded and embedded application accounts, including resource database IDs, generic IDs, batch jobs, testing scripts, and application IDs that secure back-end activities.
- Personal computer accounts, including the Windows local administrator account on laptops and desktops.
Creating an inventory of privileged passwords and the users responsible for managing them will enable the organization to identify which system or IT assets are more vulnerable to an internal or external data security threat. In addition, this list can be used as a checklist when determining whether privileged passwords are properly protected and follow established change management procedures.
2. Ensure an Individual, and not a Generic User, Is Accountable for the Privileged Account
When it comes to managing privileged accounts, a common error is to import all administrator or shared IDs into a system built for managing user accounts associated with a person, such as a privileged password management (PPM) system. The benefit of this approach is that organizations can quickly and automatically update their privileged passwords by searching for them in one location.
Unfortunately, these kinds of systems do not allow organizations to identify who is responsible for maintaining the password. For example, activity reports can show that an administrator identity downloaded a database with information on the company's top clients at 1:47 p.m. on Sunday, May 13, 2007, but due to the lack of specific user information residing in the system, the IT department will not be able to identify the specific individual who performed the activity.
To deliver true accountability, PPM systems must tie an individual identity to a shared account. However, because the data in this system is incredibly sensitive, auditors need to recommend that organizations store this information in an exceptionally secure place, such as a protected embedded system — a special-purpose computer application designed to perform one or a few dedicated functions.
3. Apply — and Enforce — Change Management Policies to Privileged Passwords
Although this may sound obvious, it is surprising how often privileged password policies are not as explicit as those for their human counterparts. For instance, a May 2007 study conducted by security provider Cyber-Ark found that while employees may be forced to change their passwords on their workstations every 30 days, 20 percent of respondents said that desktops and laptops in their organization never had the administrator ID changed from its default ID. In other words, if an employee lost his or her laptop, the finder would be able to search the Internet and find the default administrator password for that computer. Within seconds, the laptop's new owner could have access to all of the systems and information downloaded on the computer.
To ensure privileged passwords are updated frequently, IT departments need to keep accurate and updated records of all privileged password inventories, as well as create, implement, and enforce a change management policy that identifies the rules for creating new passwords, how often passwords need to be changed, where they are going to be stored, and who will have access to the inventory list.
4. Store Privileged Passwords Securely
Although this may also sound obvious, it is imperative that organizations store their privileged passwords in the most secure vaulting system available (i.e., a system that provides multiple security layers, such as the use of file access control, encryption, authentication, and firewalls). Storing passwords in sealed envelopes, locked binders, encrypted files that can be easily decrypted, or on wallet-sized cards should not be acceptable alternatives.
5. Create a Staged Approach to Deployment
Privileged passwords are literally the keys that open the door to sensitive company information, which is why they must be secured properly. One common stumbling block for projects around privileged passwords is that once the password inventory is created, the sheer volume and prevalence of these codes becomes overwhelming to maintain. As a result, IT personnel may be tempted into thinking that if they never secured this information before, there's no need to bother now. In situations such as this, internal auditors should work with IT departments in putting together a plan to ensure privileged passwords are not lost or mismanaged. This plan should include a step-by-step process for securing privileged account information with reasonable deadlines, deliverables, and consequences for noncompliance.
6. Change Embedded Passwords
According to the same Cyber-Ark study, although 99 percent of organizations have policies in place that mandate employees to change their personal passwords, up to 42 percent of IT departments never change hard-coded or embedded passwords for application IDs, application testing scripts, and batch jobs. This creates an application-to-application password problem that is exponential. For example, if a company has 300 hosts with two applications each, and each application has five scripts, this translates into a total of 3,000 stored, embedded passwords. Because these passwords are often in clear text and are available to developers and database administrators, the PPM system will not be able to protect each password. As a result, auditors need to recommend that change management policies clearly mandate the need to update hard-coded passwords and outline the specific steps for changing, maintaining, and storing them.
Audit Reports are Important Too
Due to the increase in government and industry regulations that mandate the protection of sensitive data, organizations that fail to protect privileged account information may face large penalties and fines, not to mention damages to the company's reputation and customer losses in the event of a data security breach. Audit reports of privileged passwords, therefore, are essential in helping organizations manage sensitive data effectively. These audit reports should identify when privileged passwords are updated, any update failures, the access history of particular identities, and what individuals performed which tasks under a shared account. Doing so will enable internal auditors to understand the state of the organization's password management activities and provide recommendations that deter a security breach from occurring in the future.
With more than 15 years of experience in enterprise systems security, Nir Gertner serves as Cyber-Ark's chief technology officer. Prior to joining Cyber-Ark, Gertner served as a software engineer for business service management provider BMC and as chief administrator of the security and system department in Israel's Central Computing Center. Gertner has presented at different IT industry events. His most recent presentations include the 2007 Data Protection Summit, The Institute of Internal Auditor's Information Technology 2007 Conference, and the 2007 IT Financial Management Conference.