How to avoid a security lapse

Maybe it’s the popularity of confessional talk shows, but it seems that many
IT heads have suddenly decided to bare their souls and come clean about the
problems keeping them awake at night.

With the growing awareness of the need to protect information, and almost
daily reports of data theft, it is becoming increasingly difficult to ignore
what is a problem of enormous proportion.

Most organisations depend extensively on distributed computing architectures
and every new device, operating system and piece of middleware requires another
set of privileged accounts for administrators and operators. In many cases,
organisations are unaware of just how many of these accounts exist.

These privileged accounts provide access to the computing environment,
frequently allowing unregulated access to files, programs and data, and if they
aren’t properly protected, they represent a significant business risk.

But privileged accounts aren’t easy to manage. They are usually shared among
many people, sometimes left with default passwords and are generally unkempt.
The bottom line is that many organisations are frighteningly exposed when it
comes to the security of sensitive information, and they have no idea of how to
solve the problem.

In fact, in many cases IT management is in denial because to expose the time
bomb they are sitting on could cost them dear. Ultimately it comes down at best
to a calculated risk, and at worst a head in the sand.

One of the most frequently heard confessions is from those not following
internal audit procedures. Many organisations have a plethora of systems and
applications that can only be accessed using a shared identity, for example
‘administrator’ or ‘root’. To avoid the misuse of these identities, auditors
quite rightly recommend a policy of regularly changing these passwords.

This presents your IT director with a dilemma. If they strictly adhere to the
policy, then it will mostly likely result in personnel being permanently tasked
with changing passwords, and trying to securely distribute them to those who
need access to them. The alternative is to do nothing in the hope that no one
will discover their inactivity.

Another serious issue is the admission that management turns a blind eye to
bypassing procedures to avoid having to share a password among several

In this case, the manager simply allows groups of people to be given the
necessary privileges on their personal accounts. Apart from the confession that
they frequently have absolutely no idea how many administrative accounts are
actually in existence on all the systems, there is increased vulnerability.

Just this month, Microsoft revealed a vulnerability in certain versions of
Windows, which could allow remote code execution if someone is logged on with
administrative user rights.

This would allow an attacker to hijack the session and install programs,
view, change or delete data, or create new accounts with full user rights. There
is a patch available for this problem, but IT staff haven’t the time to apply
patches on a daily basis, especially when it impacts production servers.

‘We have never changed the default password supplied by the manufacturer’ is
an often-heard admission. There are major corporations whose entire networks are
controlled by hundreds of routers and firewalls using the manufacturer’s default
password, because they have not been able to find any effective way to securely
store and change these passwords.

A definite leader in the confession list is the admission that every
workstation in an organisation has the same password. One financial institution
voluntarily admitted to having thousands of workstations with the same
administrator password – and no idea how to change this.

Although they accept this is a huge security hole, they did not see any
realistic way of managing local administrator accounts on workstations.

An occasional, but shocking, confession is that the IT security officer has
absolutely no idea how different groups apply policies. It is not unusual to be
sitting in meetings and find different groups arguing, and the poor individual
tasked with compliance, holding their head in their hands.

To have some appreciation for the problem, a quick search of the internet for
‘default password list’ will return more than 1,400 default user accounts and
passwords associated with the many applications, database software, operating
systems and network devices shipped by manufacturers, and in certain cases a
default account that provides full access to an application will have no default
password. Add to this the myriad of accounts created by organisations, and the
potential to do serious damage is massive.

Mind you, it may be that the willingness to confess has something to do with
the conviction that the person hearing the confession has the means to help
address the problem. So if you are looking to unburden your conscience, don’t
worry, there are those who can help with software that can digital manage and
organise your passwords for you. At least then you’ll have one less confession
to make.

Calum MacLeod is European director of Cyber-Ark Software

Related reading

aidan-brennan kpmg
The Practitioner
Life Belt with Computer Folders