The GITEX Technology Week in Dubai gave ManageEngine the opportunity to interact with a cross-section of IT professionals from the Middle East and Africa, and we found that password security is still largely neglected.
IT organizations in the Middle East and Africa are quite interested in tightening security controls. However, they seem to adopt flawed practices for securing privileged passwords. And, this is certainly worrisome.
ManageEngine’s interactions with a cross section of IT professionals at the recently concluded GITEX Technology Week, Dubai (Oct 11-16, 2014) reveal that organizations concentrate more on perimeter security and tend to ignore the security of privileged passwords, which is fundamental to information security.
- More than 70 percent of the respondents said that they were storing administrative passwords, which grant unlimited access privileges to IT assets, in plain text on volatile sources, such as sticky notes, spread sheets, printouts, and text documents.
- Over 45 percent of the respondents said they either used the same password or a set of passwords on many IT systems.
- More than 40 percent of the respondents said that they were frequently sharing passwords with technicians by email and phone calls.
- Only 13 percent of the respondents said that they were changing the passwords of IT systems once a month. Others were allowing the passwords to remain unchanged for an extended period, though they were changing them at their convenience.
- 90 percent of the respondents said they were conducting only manual audits to check whether IT systems had been assigned with weak or factory default passwords.
- Flawed password management practices like these could make any organization a hacker’s paradise. Many security incidents and data breaches actually stem from lack of adequate password management policies and internal controls.
Identity theft often lies at the root of modern-day cyber attacks. To gain access to IT resources, cyber criminals use various techniques, including phishing attacks, and obtain employee login credentials and administrator passwords. With organizations drowning in an ever-increasing number of passwords, the risks involved are quite high. Especially, passwords kept on spreadsheets result in a host of security issues. Here are some high-risk factors and scenarios:
- Unrestricted or uncontrolled access — There is rarely any internal control on password access or usage. Technicians get unrestricted access to all the passwords.
- No trace of “who” accessed — Privileged passwords remain impersonal in shared environments. Mistakes, whether accidental or deliberate, can never be traced to the offender. There is generally no way to track “who” accessed “what” and “when.” This allows people to remain unaccountable for their actions.
- Temporary access becomes permanent — Passwords are given out orally or by email to users who need a privileged password on a temporary basis. Such practices can cause huge security threats when there is no process to revoke temporary access and reset the password after use.
- Technician leaves the organization; takes passwords — When a technician leaves the organization, the technician may take a copy of all the passwords. The only solution to such a scenario is to change all privileged passwords of all systems.
- Passwords fall into malicious hands — If the text file or spreadsheet containing administrative passwords reaches a malicious individual, networks could be in jeopardy.
- Passwords remain unchanged for ages — Passwords of even the most sensitive resources like firewalls remain unchanged to prevent lockouts. Manually changing the passwords of thousands of resources can be time consuming. Worse, most resources are assigned the same, non-unique password for ease of coordination among administrators.
To combat ever-increasing cyber attacks, organizations should focus on securing privileged passwords, controlling and monitoring privileged access, and adopting stringent security best practices. They can easily achieve a high level of security by using privileged password management solutions like ManageEngine Password Manager Pro. In the absence of an appropriate management tool, password management can become quite cumbersome.