(Originally published in CSO, Australia)
Australian media is agog about the stories of hacking by the hacktivist group ‘Anonymous’, the group that defaced several Australian websites also claimed stealing user credentials and contact information from Australian Pizza Hut, early this month. In fact, the month of November has been a period of high profile security breaches and identity thefts not just in Australia, but also across the globe. Seeing some of the world’s mightiest enterprises falling prey to hackers is no longer uncommon given the current trend.
All these security breaches give Enterprises and end users just one important lesson to learn – it is time to seriously consider using a password manager!
How does a data breach in one site affect end users?
It is quite common for users to use the same login credentials for multiple sites – social media and other applications. Making matters worse, some users tend to use the same password for all accounts – right from email accounts, social media to banking, brokerage and finance accounts. And, in this globally connected world, a data breach in Europe could affect an end user in Malaysia!
If the password gets exposed in any of the sites, in all probability, hackers would be able to easily gain access to all your other accounts too. So, it is always prudent to have unique passwords for every website and application and supply it ONLY on that site/app. When there is news of password expose or hacks, you can just change the password for that site/app alone and frequently changing passwords, as a habit is always a great one to have.
But, here comes the problem: You will have to remember multiple passwords – sometimes in the order of tens or even hundreds. It is quite likely that you will forget passwords and at the most needed occasion, you will struggle logging in.
The way out: Use a Password Manager
Just like you have an email account; consider using a password management application too. In order to combat cyber-threats, proper password management should ideally become a ‘way of life’. Password Managers help securely store all your logins and passwords. In addition, you will get an option to launch a direct connection to the websites / applications from the password vault’s GUI itself. Saving you even the ‘Copy & Paste’ task, logging in is just a click away. Once you deploy a Password Manager, you can say goodbye to password fatigue and security lapses.
Enterprises – time to step up! You may be the next victim!
Not pondering much on the security lapses / practices of affected businesses, it is worthwhile to draw lessons from the cyber-incidents happened in the recent past as it could help prevent security incidents that could affect other enterprises in future.
Traditionally, keylogger trojans (which monitors keystrokes, logs them to a file and sends them to remote attackers), cross-site scripting (which enables malicious attackers to inject client-side script into web pages viewed by other users and exploit the information to bypass access controls) and viruses have mostly acted as the security attack channels.
Improper management of the Administrative Passwords, which are often aptly referred as ‘Keys to the Kingdom’, is at the root of many security threats. Passwords of enterprise IT resources are often insecurely stored in volatile sources like spreadsheets, text files and even on papers. The haphazard style of password management makes enterprises a paradise for hackers.
Another undeniable reality is the sabotage caused by the insiders of the enterprises. Either disgruntled staff or greedy techies or sacked employees have been involved in many such security incidents. This brings us to the brink of affairs and we note, breach of trust could occur anywhere, leading to grave consequences. Quite often, lack of well-defined internal controls and access restrictions pave way for many security incidents.
Tightening internal controls – The magic mantra
Enterprises, unfortunately, do not attach importance to the crucial aspect of administrative password management until a security incident or identity breach surfaces. This negligence often comes with an exorbitant price to pay. Many such security breaches stem from lack of adequate password management policies and internal controls that could be avoided by placing access restrictions and well-defined password policies.
Access to IT resources should strictly be based on job roles and responsibilities. Access restrictions alone are not enough, there should be well-defined trails on ‘who accessed what and when’. And the best way to achieve this is to deploy a Privileged Password Management Solution that could replace manual processes and help achieve an optimum security.
Privileged Password Managers like ManageEngine’s Password Manager Pro help in securely storing the privileged identities in a centralized vault restrict access to the identities and automate the identity/password management activities. This will help organizations to take total control of the privileged identities. Enterprise class password managers offer advanced protection to IT resources by helping establish access controls to IT infrastructure, and seamlessly video record and monitor all user actions during privileged sessions, providing complete visibility on privileged access.
To summarize, not all security incidents could be prevented or avoided; nor could privileged password management software act as the panacea for all cyber security incidents. But, the security incidents that happen due to lack of effective internal controls are indeed preventable. Enterprises should take preventive action to combat cyber-criminals. Otherwise, enterprises might end up locking the stable after the horse has bolted!
Try Password Manager Pro now!
Bala
ManageEngine Password Manager Pro
Quick Video | Free Trial Download | White Papers | Success Stories
