Suffice to say, that figure is not surprising. When you think about all the privileged credentials that exist in large networks, it’s conceivable how administrative passwords rarely get updated in many organisations. Shockingly, in some cases administrative passwords never get changed, according to 10% of respondents who were brave enough to admit this. Fortunately, 74% change administrative passwords on at least a monthly basis, which is much better as most regulatory compliance regulations require organisations to change privileged credentials every 30 days minimally.
Admittedly, it’s difficult for IT staff to keep track of all their admin passwords, but this gets even more complicated when you’re expected to know every place where the credentials are used – and what might break when they’re updated. However, because of the sensitive systems that these credentials protect, frequent privileged password changes are essential for good security.
Yet even a 30 day password update rate may not be frequent enough when you consider that cyber intruders and malicious insiders look for passwords that let them jump from system to system on a network until they find what they want. It almost doesn’t bear thinking about how much damage they can do in that time before their stolen credentials are invalidated.
So what exactly are the potential problems that could arise if privileged credentials are not looked after properly? When an employee leaves a job, there’s typically a standard set of practices that are followed; checking in physical keys and equipment, transitioning documents and contacts to other employees, and so on. But 15% of respondents said that if they left their organisation they could still access their admin credentials remotely. This is a huge potential threat as they often know the password secrets that let them log in to systems and applications on the network.
If privileged credentials aren’t continuously changed, thus shutting off former employees’ log ins, odds are these ex-employees can still gain administrative access long after their employment ends. Every company must have a procedure in place for changing all passwords and revoking access as soon as someone leaves the company.
But how secure are the privileged credentials of current employees? As it turns out, 36% of respondents share administrative passwords within their IT groups. Believe it or not, this is a common IT administration practice. IT pros are busy people, balancing their daily administration tasks with unexpected emergency repairs. So, looking to simplify matters, systems administrators often re-use the same password across many systems and share this password with other IT administrators.
Yet, if a hacker or malicious insider gets hold of this shared password, they’ve just gained access to systems around the network. We have to start asking ourselves if the convenience of sharing passwords is really worth it. Or is there a better way to deal with the problem of administrative passwords? And what is the best way to mitigate the risk?
There are three steps that businesses can take to protect themselves from the burden of passwords:
1. As this survey highlights, we need to train staff, especially staff that has administrative rights, that they won’t have access to the power to do harm all the time without a gate. They will still be able to do everything they did before, but there will be an extra step. They can think of it as scanning their badge before they walk into the server room. Now they will scan their virtual badge before they can walk into a secure library where all the rights are stored. They can check out the power they need, everyone will be able to see who has it checked out, and then it will get checked back in where they’re done. It’s a small change, but it makes a big difference.
2. When a password is checked out, we would change the security for that password when it gets checked back in or when the checkout expires. However, if that’s the only time we rotate that security, that means the bad guys can get in through an email and start collecting rights to use later. But, if a program is in place to aggressively rotate admin rights and credentials all the time, even when they’re not in use, then the bad guys get the rug pulled out from under them.
3. Now that we have this power to control rights and privileges we should hook it up to our other security systems to make sure everything is working in a healthy, closed loop process. If you have analytics and logging solutions looking at all the security event data to find patterns, then you would surely want to throw in all the data about who has legitimate privilege. That leads to simple correlations – for example, an action that takes place using a privileged identity, that was not currently checked out to any authorised user, would be suspicious. If you have solutions that are detecting malware and other incidents as they happen, you can automate a privileged response in near real-time with no operational impact.
If businesses automate privileged password management and follow the steps above they will be in a much better position to fight off cybercriminals who attempt to leap over network defences and move around laterally within an organisation’s systems. There’s no need for passwords to fail security, they just need to be managed better; and with automation, the task can be made simpler for staff so that passwords don’t end up being the downfall of security.