Organisations in the Middle East acknowledge the importance of tightening security controls, but a majority fail to secure privileged passwords. V Balasubramanian, Marketing Manager, IT Security, ManageEngine, discusses results of a study conducted by ManageEngine at GITEX Technology Week 2014.
Our interactions with a cross-section of the visitors at GITEX Technology Week 2014 revealed that organisations concentrate on perimeter security but tend to ignore privileged passwords security which is fundamental to information security.
More than 70 percent of attendees who were asked said that they had storing administrative passwords, which grant unlimited access to IT assets, in plain text on volatile sources such as sticky notes, spreadsheets, printouts, and text documents. 35 per cent of the respondents said that they were either using the same password on many IT systems or were alternating a set of existing passwords on different systems.
More than 40 per cent of the respondents said that they were frequently sharing passwords among technicians through emails and phone calls. Only 9 per cent of the respondents said that they were changing the passwords of their IT systems once a month. Others were allowing passwords to remain unchanged for an extended period. 90 per cent of the respondents said that they were conducting only manual audits to check if IT systems have been assigned with weak or factory default passwords. Passwords of even the most sensitive resources like firewalls remain unchanged to prevent lockouts.
Manually changing the passwords of thousands of resources can be time-consuming. Worse, most resources are assigned the same, non-unique password for ease of coordination among administrators.
Such flawed password management practices open the networks to hackers from both inside and outside the organisation. Many security incidents and data breaches actually stem from lack of adequate password management policies and internal controls.
Identity theft often lies at the root of modern-day cyber-attacks. To gain access to IT resources, cyber criminals use various techniques, including phishing attacks and obtain employee login credentials and administrator passwords. With an ever-increasing number of passwords, the risks involved are quite high. Passwords kept on spreadsheets result in a host other security issues which include an unrestricted access and unaudited access to the organisation’s internal systems with no trace of the offender.
Temporary access becomes permanent when privileged account passwords given out orally or by email remain unchanged. One has to stay mindful of the fact that when a technician leaves the organisation, he takes the passwords with him which can put the client networks in jeopardy if the text file or spreadsheet containing the administrative passwords reaches a malicious individual. The only solution to such a scenario is to change all the privileged passwords of all the clients.
To combat the increasing number of cyber-attacks, organisations should focus on securing privileged passwords, controlling and monitoring privileged access, and adopting stringent security best practices. This can be done by installing privileged password management solutions. In the absence of an appropriate management tool, password management can become quite cumbersome.