Article

Passwords still the weakest link

Niall McKay, Contributor

Last November, a man named Pok Soeng Kwong, was convicted with sabotaging the computer network of his former employer, America Flood Research Inc. in Plano, Tx., and causing $600,000 in damages. Two months earlier, Carl Shea,

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

a former program manager of a Silicon Valley debt collection company called Bay Area Credit Services Inc., was convicted of deleting 50,000 customer records, causing $100,000 in damages. And before than, in June, Roman Meydbray, the former IT manager of Morgan Hill, Calif.-based Creative Explosions, Inc., pleaded guilt of unlawful access and damage to the company's computer systems.

Former or disgruntled staff commit up to 70% of security breaches, according to Washington-based Diligence LLC, a risk-management company. Often these insiders exploit lax password management policies that provide systems administrators, computer programmers (often offshore contract workers) and others access to service account and administrative passwords, even long after they leave the company. Not only are these common passwords often shared, but also they are infrequently changed.

Unauthorized access and theft of propriety information increased by 30% in 2005, according to the most recent CSI/FBI Computer Crime and Security Survey. The two organizations peg the average loss at about $300,000 per incident.

Application-to-application or service-account passwords -- typically used by systems administrators -- can be tricky to manage. Since they're used to enable applications to communicate, they're hard-coded or written into middleware. This makes them difficult to change, especially when they are often widely known within an organization.

"In the past six months, managing administrative and privileged passwords has become in item on many corporations' agenda," said Jonathan Penn, principal analyst with Cambridge, Mass.-based Forrester Research. "I believe that this is being driven by the auditors who are now going after the shared-level passwords to make sure that the corporations are meeting Sarbanes-Oxley [internal control reporting] security requirements."

Information security firms such as Cyber-Ark Software Inc. in Dedham, Mass. and Symark Software in Agoura Hills, Calif. have upgraded their password-management tools to support service-account passwords.

The software gives each staff member an account on the password management system. The staff member logs into the system, which authenticates the user before allowing access to an application. In this way, users never know the shared password to access the application, and can neither share it nor use it after leaving the company. Security and network administrators easily add or delete users and set individual or role-based access privileges, while also quickly changing database and other application passwords through these types of "password enhancement" products.

Cyber-Ark's Password Vault and Symark's PowerKeeper software use 256-bit Advanced Encryption Standard to secure the information on the box and to secure traffic to and from client machines. Each user has a virtual vault where their passwords are kept so that router administrators, for example, only have access to the router password section.

"In a large corporate environment, administrative passwords are cumbersome to manage," said David Ross, Unix team leader with the Calgary, Alberta-based Husky Energy Inc., which uses Symark's PowerKeeper. "So the auditors like to see that the company has this under control."

Even more importantly, he adds, is the ability to provide an audit trail so that, if necessary, auditors can clearly see who has been accessing which applications.

Large corporate accounting scandals like WorldCom and Enron have heightened the importance of maintaining a complete audit trail for any large transactions. And even those companies that don't fall under SOX compliance, like Husky Energy, are trying to abide by the law due to U.S. business partnerships and to remain competitive.

In the meantime, it appears smaller public companies trying to meet their SOX deadline are among the interested.

"We have seen a big increase in demand for our password products," said Ellen Libenson, Symark's vice president of product marketing, "because smaller companies with a market capitalization of 75 million shares outstanding will need to comply with the Sarbanes-Oxley section 404 by July 2006.".

And the clock is ticking.