Poor privileged account management practices leave security gap

By Ron Condon, U.K. Bureau Chief 23 Oct 2009 | SearchSecurity.co.uk

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

Also referred to as admin, root or emergency accounts, these give users greater access privileges and control over parts of the system, as well as the ability to make damaging changes, either by accident or design.

But a new study of 270 companies shows that many organisations fail to monitor or control the use of privileged user accounts, which is in breach of most standards, including ISO 27001 and PCI DSS.

"Business managers would be shocked if they knew how much power some of their staff have, and how much damage they could inflict," said Bob Tarzey, a director of research consultancy at Quocirca Ltd., which carried out the study.

He explained that if accounts were shared between users, or not carefully monitored, then it would be impossible to identify who carried out what actions on any system. Poorly protected admin accounts are also often targeted by hackers.

Create a privileged account policy Mark Diodati reviews how to secure user accounts with a policy that incorporates privileged account best practices.

The research found that privileged account management is given a low priority in most companies, where staff members are too busy dealing with more pressing problems, such as malware and Internet threats.

The study was commissioned and sponsored by IT management company CA Inc. The head of the company's security business in Europe, Tim Dunn, said: "Privileged user accounts need managing, as do privileged users. This all too often comes down to the privileged users policing themselves."

He said that privileged user accounts are often left with their default settings. "Commonsense says these should be changed immediately, but often they are not. When this is the case, it is not just internal privileged users that have access, but any hacker who may want to take a look at your data," he said. Dunn cited the example of British hacker Gary McKinnon, who broke into Pentagon systems having gained much of his access through privileged user accounts that had been left with the default settings.

Dunn said that while most standards of good practice advocate a principle of least privilege -- where users can view only what they need, for as long as they need it -- in practice, poor privileged account management allows users to have "the keys to the kingdom," with the ability to view files they had no need to see.

Also, revocation of accounts should be tightened up so access rights do not continue after they are no longer needed, he said. For example, rogue trader Jérôme Kerviel was only able to manipulate the systems at financial-services company Société Générale in 2008, resulting in losses valued at approximately 4.9 billion euros, because he had worked in the back office previously and had maintained his access rights.

The Quocirca research covered 14 European countries and focused on large corporations from a range of industrial sectors, including government. It found that even companies that had claimed to have implemented the ISO 270001 standard still allowed sharing of privileged accounts, even though the standard requires that "the allocation and use of privileges shall be restricted and controlled."

In addition, the Payment Card Industry Data Security Standard (PCI DSS) recommends "auditing all privileged user activity," which is impossible with a shared account.

Tarzey said organisations should try to automate how they manage accounts. "Manual methods are inefficient, and they cannot be properly audited," he said. "You need to be able to link into your identity and access management system."

The main reasons for companies not doing more, according to the research, were a lack of budget and a general lack of awareness of the problem.

CA's Tim Dunn said responsibility for privileged account management should be taken out of IT and owned by business and risk managers. "You can't delegate this to IT and let them police themselves," he said. Dunn added that log files should also be properly secured so that they could not be altered.

Tags: Secure User Authentication and Authorization,  User Identities and Provisioning,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Secure User Authentication and Authorization Preventing password fatigue with single sign-on (SSO) authentication Gridsure finds global deal for its pattern-based authentication Physical security threats: Don't gift your data away Using unique device identification for bank website security Yahoo login credentials at risk to hijacking attack Single sign-on system removes password chaos at East Kent NHS Trust Tokenless two-factor authentication helps council with CoCo compliance Risk-based multifactor authentication implementation best practices Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats User Identities and Provisioning Microsoft's Charney details new botnet protection, IdM technology at RSA How to perform an Active Directory health check Windows management tips: How to backup and restore Active Directory Will physical security integrators work with IT departments? Tokenless two-factor authentication helps council with CoCo compliance Risk-based multifactor authentication implementation best practices Group to shed light on secure identity management threats Content-aware IAM: Uniting user access and data rights Microsoft Windows 7 DirectAccess pros and cons Schneier-Ranum Face-off: Is perfect access control possible?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Chip and PIN  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary