Enterprise IT Management Blog from ManageEngine

Embezzlement incident at Wipro: Insider Threats & Stricter Internal Controls to the Fore Again

vbala — Thu, 25 Feb 2010 22:49:29 -0800

If media reports on the alleged embezzlement by an employee at Wipro are to be believed, insider threat seems to be emerging the biggest challenge for the IT companies.

In the Wipro incident, it is alleged that the fraudster, a qualified chartered account who was employed with the company's 'controllership' division in the finance department managed to siphon off around $4 million from the company's bank account by accessing a colleague's password.

This report once again lends credence to the belief that a good proportion of the frauds and security incidents are being caused by the insiders of the enterprises - either disgruntled staff or greedy techies or sacked employees.

Lack of well-defined internal controls and access restrictions generally pave the way for security incidents. It is also increasingly becoming clear that stolen identities are serving as the ‘hacking channel’ for many cyber-crimes/frauds and improper management of the administrative passwords could potentially remain at the root of a good number of security threats.

How do we avoid cyber threats / frauds?

Not all security incidents could be prevented or avoided; But, the security incidents that happen due to lack of effective internal controls are indeed preventable. Enterprises should take preventive action to combat cyber-criminals and to ensure information security.

One of the effective ways to achieve internal controls is to deploy a Privileged Password Management software that could replace manual processes and help achieve highest level of security for the data.

Read this paper "Combating Cyber Security Threats" from ManageEngine Password Manager Pro for more details and share your feedback.

Bala
www.passwordmanagerpro.com

Use of hard-coded credentials, a dangerous programming error: CWE

vbala — Wed, 17 Feb 2010 21:53:04 -0800

Hi,

For applications and scripts in your infrastructure that communicate with other applications using a password, the normal practice is to hard-code the password in a configuration file or a script. To explain further, for Application-to-Application or Application-to-Database communication that happen without human intervention, normally organizations define the access permissions in one application (say Application 'A') and hard-code the passwords to access the Application 'A' in scripts or embed them in the calling application (say Application 'B') itself.

These hard-coded passwords pose a significant security threat as malicious users getting access to the script could easily decipher the password and unleash disaster.

Common Weakness Enumeration (CWE), a community developed dictionary of software weakness types has recently released the list of 'Top 25 Most Dangerous Programming Errors'. The list is the result of collaboration between the SANS Institute, MITRE, and many top software security experts in the US and Europe. It leverages experiences in the development of the SANS Top 20 attack vectors and MITRE's Common Weakness Enumeration (CWE).

MITRE maintains the CWE web site, with the support of the US Department of Homeland Security's National Cyber Security Division, presenting detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them.

Among the top 25 dangerous programming errors, use of hard-coded credentials is listed at No 11.

CWE explains :

Hard-coding a secret password or cryptograpic key into your program is bad manners, even though it makes it extremely convenient - for skilled reverse engineers. While it might shrink your testing and support budgets, it can reduce the security of your customers to dust. If the password is the same across all your software, then every customer becomes vulnerable if (rather, when) your password becomes known. Because it's hard-coded, it's usually a huge pain for sysadmins to fix. And you know how much they love inconvenience at 2 AM when their network's being hacked - about as much as you'll love responding to hordes of angry customers and reams of bad press if your little secret should get out. Most of the CWE Top 25 can be explained away as an honest mistake; for this issue, though, customers won't see it that way. Another way that hard-coded credentials arise is through unencrypted or obfuscated storage in a configuration file, registry key, or other location that is only intended to be accessible to an administrator. While this is much more polite than burying it in a binary program where it can't be modified, it becomes a Bad Idea to expose this file to outsiders through lax permissions or other means.

So, use of hard-coded credentials is a very, very bad programming practice. But, the question is, how to avoid this? What is the alternative?

The good news is that ManageEngine Password Manager Pro provides effective ways to eliminate the hard-coded passwords. If you have applications in your infrastructure that require connecting to other applications using a password, they can query PMP to retrieve the password. One application (say Application A) would contact the PMP for the password to access another application (say Application B). On getting the password, 'A' would contact 'B' and all these have to happen without human intervention.

This way, the application-to-application (A-to-A) passwords can also follow good password management practices like periodic rotation, without the trouble of manually making the updates at many places. Same procedure can be used for Application-to-Database password management (A-to-DB).

PMP provides Password Management APIs using which any enterprise application or command line script can programatically query PMP and retrieve passwords to connect with other applications or databases.

PMP provides two flavors of the API for this purpose:

a comprehensive application API based on XML-RPC over HTTPS and
a command line interface for scripts over secure shell (SSH)

Both the forms use PKI authentication for allowing access to the PMP application through the API. The XML-RPC API also comes with a Java Wrapper API to make it easy for integrating it with Java applications.

Visit www.passwordmanagerpro.com for more details.

Thanks,
Bala

A New Year's Resolution to Protect Your Data & Business

vbala — Tue, 29 Dec 2009 10:15:27 -0800

Bidding adieu to 2009, the old year and a brand new 2010 is at the doorsteps.

It is again that time of the year when we would reflect on the past and make some resolutions hoping to do better in all spheres. On the personal front, we have several resolutions to make - right from the most popular lose weight---save money---maintain a diary---quit smoking/drinking to properly managing time, the list is endless.

On the professional front, what resolution can we make? Before finding one, it is pertinent to answer a more fundamental question: How important is your company's data? What impact a possible identity theft or security breach will have on your business?

The answer is obvious.

The growing list of cyber-criminal activities across the globe have assumed such grave proportions that all enterprises - big and small, are exposed to security breaches and identity thefts of various kinds. Many acts of sabotage were found to have been caused by the insiders of the enterprises, either disgruntled staff or greedy techies or sacked employees.

Lack of well-defined internal controls and access restrictions generally pave the way for security incidents. Particularly, as stolen identities seem to have served as the ‘hacking channel’ for many cyber-crimes, improper management of the administrative passwords is believed to be at the root of a good number of security threats.

One of the effective ways to achieve internal controls is to deploy a Privileged Password Management Solution that could replace manual processes and help achieve highest level of security for the data.

Will it not be a great resolution this new year to strive for information security? Go ahead and deploy ManageEngine Password Manager Pro and safeguard your enterprise data.

Wishing you a wonderful new year,
Bala

Are you worried about security breaches & identity thefts?

vbala — Fri, 20 Nov 2009 21:39:13 -0800

Shocking stories of security incidents and identity thefts of various kinds worry you? Read our article on 'Combating Cyber Security Threats' in Express Computer:

http://www.expresscomputeronline.com/20091123/technology04.shtml

Bala
ManageEngine Password Manager Pro

Information Security, the biggest challenge before Indian Enterprises: Survey

vbala — Thu, 5 Nov 2009 22:45:08 -0800

Reputed marketing firm IDC (India) Ltd has come out with a survey whose results should serve as an eye opener for all enterprises. The survey was commissioned by security solutions provider Symantec India.

The survey reveals that:

About 80 per cent of Indian enterprises have agreed that loss or theft of critical data is a serious information security risk they face after threats from viruses and hackers
16 per cent of the enterprises admitted to have lost data in the recent past for various reasons, including unaware users, malicious insiders and external threats from hackers and cyber-criminals
About 60 per cent of employees who recently changed jobs reported taking confidential data from their previous employer. This included customer lists, employee records, non-financial information. The top three ways data is lost are through CDs,DVDs and USB drives.

What are the causes?

The survey results once again lend credence to the belief that a good proportion of the cyber threats are being caused by the insiders of the enterprises - either disgruntled staff or greedy techies or sacked employees.

It is also increasingly becoming clear that stolen identities could be serving as the ‘hacking channel’ for many cyber-crimes and improper management of the administrative passwords could potentially remain at the root of a good number of security threats. Many security breaches might stem from lack of adequate password management policies and internal controls.

How do we avoid cyber threats?

What preventive steps could an enterprise take?

Read this paper "Combating Cyber Security Threats" from ManageEngine Password Manager Pro and share your feedback

Details of the survey as published in the media..

Bala

ManageEngine Password Manager Pro

Combating Cyber Security Threats - ManageEngine Password Manager Pro Advisory

vbala — Tue, 3 Nov 2009 21:53:40 -0800

Hi,

Of late, cyber-criminal activities across the globe have assumed such grave proportions that all enterprises - big and small, are exposed to security breaches and identity thefts of various kinds. Many sabotage were found to have been caused by the insiders of the enterprises - either disgruntled staff or greedy techies or sacked employees.

Lack of well-defined internal controls and access restrictions generally pave the way for security incidents. Particularly, as stolen identities seem to have served as the ‘hacking channel’ for many cyber-crimes, improper management of the administrative passwords is believed to be at the root of a good number of security threats.

Security experts strongly believe that many security incidents (though not all) are actually avoidable by placing access restrictions and well-defined password policies.

From ManageEngine Password Manager Pro, we have released an advisory, which discusses the causes of security incidents in detail and suggests ways to effectively tackle the challenge.

You may download the advisory from:
http://www.manageengine.com/products/passwordmanagerpro/combating-cyber-threats-advisory-paper-request.html

Bala
ManageEngine Password Manager Pro

Australian Catholic University Deploys ManageEngine Password Manager Pro for Password Access Control

vbala — Mon, 24 Aug 2009 06:03:19 -0700

Hi,

Password Manager Pro has earned the business and goodwill of scores of customers worldwide. Its deployment has immensely benefitted businesses in many ways.

Australian Catholic University (ACU), one among the premier institutions in Australia with campuses at six different locations, has deployed ManageEngine Password Manager Pro to provide web-based, centralized access to privileged passwords to its geographically disparate IT team. ACU has achieved complete password access control and enhanced internal security.

“With Password Manager Pro, managing the growing list of system passwords has become much simpler. We have done away with the insecure practice of keeping the passwords in printouts. Password Manager Pro has improved our performance and overall security of the systems we manage on a daily-basis, ” says Mark Laffan - Team Leader - Network & Communication Systems, ACU National.

For detailed information, take a look at the case study published in our website.

Bala
ManageEngine Password Manager Pro

Password Manager Pro bags top honours from SC Magazine for the second time in a row

vbala — Sun, 9 Aug 2009 23:39:50 -0700

Hi,

Greetings!

For the second consecutive time, ManageEngine Password Manager Pro has earned top honours in SC Magazine's Group Test of various password management solutions. Password Manager Pro has earned a perfect 5 out of 5 star rating again. The review has concluded that Password Manager Pro offers solid value for money.

In its group test, a hands-on review of ten competing Privileged Password Management solutions, SC Magazine, the world's longest running monthly publication on information security, has awarded the five star rating for Password Manager Pro. The review results have been published in the August 2009 issue of the magazine.

The review states that the product is quite easy to install and use. "After installation, the initial configuration is done by a guided workflow that assists in getting the product up and integrated with the environment. We found this whole process quite intuitive and easy to follow. Further management is done via the web GUI. We found the GUI to be easy to use with a well-organized layout".

The review asserts: "This product is a solid value for the money. ManageEngine Password Manager Pro offers a solid set of features in an easy-to-use, workflow-based format"

Complete review report can be accessed from:
http://www.scmagazineus.com/Zoho-Corp-ManageEngine-Password-Manager-Pro/Review/2931/

Details of the Group Test Password Management:
http://www.scmagazineus.com/Reviews/section/107/

In the previous group test done in November 2008 too, Password Manager Pro got the perfect 5 out 5 star rating.

We feel elated on receiving this coveted rating for the second time in a row and take this opportunity to thank all our customers for their continued support.

Bala

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ManageEngine Password Manager Pro
Enterprise Privileged Password Management Solution
www.passwordmanagerpro.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Do you reveal enterprise passwords to your colleagues?

vbala — Thu, 2 Jul 2009 08:12:22 -0700

Have you ever revealed the administrative password of an enterprise resource to your colleague? And do you strongly believe that your passwords remain secure even after telling others? If so, you must read this interesting survey done by SecurEnvoy.

The survey results reveal that 75% of UK employees have admitted that they have told at least two other colleagues their corporate passwords.

SecurEnvoy states that while workers are trusting of their colleagues, it may not be a great idea to share passwords so easily since it can compromise one’s entire work life.

The concern raised in the survey is well-founded. Enterprises - big and small, face security issues and outages quite often. After all, mis-management of administrative passwords lies at the root of all security issues.

It is always good to avoid sharing of administrative passwords. But, what if your business needs demand that you seletively share passwords with others and yet ensure high levels of security? Caught in a catch-22 situation, right?

But take heart, you have ManageEngine Password Manager Pro for your rescue. Using this Enterprise Password Management Solution, you can store thousands of administrative passwords in a centralized repository and selectively share the passwords with others. You can have the trail of 'who', 'what' and 'when' of password access. The passwords are shared, yet remain highly secure. Exactly what you want!

To know more, visit www.passwordmanagerpro.com

Bala

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ManageEngine Password Manager Pro
Enterprise Privileged Password Management Solution
Email: passwordmanagerpro-support@manageengine.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Managing Website Login Credentials using Password Manager Pro

vbala — Thu, 15 Jan 2009 03:30:24 -0800

Hi,

Greetings!

Do you face problems in remembering the credentials of website login accounts?
Do you have a large number of web accounts and wish to automatically login to the sites without manually entering the user name and password?

ManageEngine Password Manager Pro is there to help you!

By simply storing the URL of the web page and the login credentials, you can launch direct connection to the required website from Password Manager Pro. That is, the URL of the website would be visible in Password Manager Pro and upon clicking that you will be logged in to the website directly.

We have published a step-by-step tutorial on how to implement this feature. Along with the textual explanation, the tutorial contains a two-minute video presentation at the end. Don’t forget to check that out!

Bala

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

ManageEngine Password Manager Pro

Enterprise Privileged Password Management Solution

Email: support@passwordmanagerpro.com

Toll Free: +1 925 924 9600

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -