In the previous two posts in the backdrop of the cyber-attack on Zappos.com, we analyzed the challenges associated with achieving the highest level of information security in enterprises and the causes for security incidents…
We can broadly classify the root cause for security incidents in enterprises into two categories:
- Lack of internal controls, access restrictions, centralized management, accountability, strong policies and to cap it all, haphazard style of privileged password storage and management
- Lack of proper monitoring in networks to sniff suspicious activity (which directly helps in detecting breaches quickly)
These shortcomings make the organization a paradise for malicious insiders and external hackers.
Information Security – Current Scenario
Before analyzing the causes further, let us dwell on the current scenario in enterprises with respect to internal controls and monitoring as discussed above:
At the root of internal controls, lies Privileged Password Management. How administrative passwords are being handled in enterprises? If truth be told, even many big enterprises do not have any effective password management system in place at all. Employees follow their own, haphazard way of maintaining the passwords; there is rarely any meaningful management.
- Sensitive passwords are stored in volatile sources such as text files, spread sheets, print-outs etc.,
- Many copies of the administrative passwords are circulated among the administrators who require them for their job functions. The passwords thus become impersonal in the shared environment – no accountability for actions
- When other members of the organization such as developers, database administrators and support personnel require access to IT resources, passwords are generally transmitted over word of mouth
- The administrative passwords mostly remain unchanged for fear of inviting system lockout issues
- Still worse, most resources are assigned the same, non-unique password for ease of coordination among administrators
- There is rarely any internal control on password access or usage. Administrators freely get access to the passwords of all the resources in the organization
- There is generally no trace on ‘who’ accessed ‘what’ resources and ‘when’. This creates lack of accountability for actions
- If an administrator leaves the organization, it is quite possible that he/she may be getting out with a copy of all the passwords
From the foregoing, it is clear that the haphazard style of password management leads to lack of internal controls and makes the enterprise a paradise for hackers – internal or external.
Unfortunately, enterprises generally do not tend to attach importance to this crucial aspect of administrative password management until a security incident or identity breach rocks the enterprise. This negligence often proves costly. Many security breaches might have stemmed from lack of adequate password management policies and internal controls. Analysts strongly believe that most of the security incidents are actually avoidable by placing access restrictions and well-defined password policies.
In the next post, let us discuss the activity monitoring scenario in enterprises …
Bala
ManageEngine Password Manager Pro
Quick Video| Free Trial Download| White Papers | Success Stories
Hi
You are absolutely correct. But this is not the only area.
Other most important factor is the lack of policy implementation and follow up, Lack of policy compliance and doing things on urgent basis because everything becomes urget for business. Suddenly a bussiness unit will wake up and ask for a service to be provided within 24 hours.
There might/might not be a policy. If there is one, IT is willing to put this aside and get the job done
Regards
Farrukh