Convergence Plus Logo


www Convergence Plus
 
Sections Online
Telecommunications
Mobility
Information Technology
InfoSecurity

InfoSecurity

June 14, 2007
 Privelege passwords, handle with care!

NEW DELHI -- Privileged user accounts have been aptly characterised as the most powerful accounts defined within an IT enterprise environment. Privilege passwords run on critical applications and servers, operating systems, and databases. Often generic in nature, they include, but are not limited to, generic accounts such as administrator on Wintel platforms, root on UNIX systems, DBA passwords, and hard-coded passwords found in application scripts throughout an enterprise. If the password becomes known, multiple systems are at risk.

Convergence Plus spoke to Calum Macleod on Cyber Ark’s latest technology called Enterprise Password Vault and how its customers benefit from investment protection for upcoming or future requirements to solve all three aspects of enterprise password management. Excerpts:

Convergence Plus: What are the features of Cyber-Ark's Enterprise Password Vault? What kind of research prompted Cyber-Ark to build up this technology?
 
Calum Macleod: Today, in most organisations, we find that people use the same password value for many systems and devices. This reuse creates a common security hole that can be exploited by external hackers. System intruders use valid credentials to log in as a privileged user and a target system because the privileged password was either the default value provided by the manufacturer or was very weak, easy to guess, or simple enough that a password cracker program could be successfully deployed within a short period of time.

While all of the platforms accessed via a privileged password are critical and vulnerable, a particularly complex situation arises with embedded application passwords. When two unattended software applications connect, they require a powerful username and a powerful password, which are often stored in clear text or embedded in the application code, configuration file, or script. A recent Cyber-Ark password survey revealed that 20 percent of enterprises have more than 1,000 applications and that 42 percent of enterprises reported that they never change these passwords. This situation poses serious security risks and an untold number of compliance violations as these powerful, embedded passwords are gradually distributed undetected throughout an organisation.
 
In a recent Garter report, they concluded that too many organisations and too many users have permanent and full superuser, root or administrator privileges, a gaping vulnerability that exposes mission-critical systems to accidental harm and malicious activity. Organisations must reduce the number of these privileged users to the minimum that satisfies operational needs. Operational needs can be met by enabling ‘authorised individuals' use of shared superuser accounts or other accounts with elevated privileges in a controlled and auditable manner. This can be fulfilled by using the specialised password management tools that we discuss in this research.
 
A similarly significant vulnerability arises where application-to-application (A2A) or application-to-database (A2DB) communication involves a service account on the target. In many organisations, the password for that account is hard-coded in the calling application.”
 
Essentially there are three areas where Privileged accounts need to be controlled:

• Managing generic and shared accounts
• Managing application to application accounts for automated and unattended software
• Managing Local Administrator accounts on desktops and laptops
 
Cyber-Ark is the only vendor that provides solutions for all 3 areas, with proven reference customers. Most competitors provide a solution for the first area only.

CP: How has it enhanced security practices after becoming a part of the Oracle Extended Identity Management Ecosystem?

CM: As Enterprise Password Vault (EPV) is now part of the Oracle Extended Identity Management Ecosystem, joint Cyber Ark and Oracle customers can benefit from a unified identity management solution for managing and provisioning both personal accounts and shared privileged accounts.

Integration with Oracle Internet Directory provides EPV with user provisioning and access to control management capabilities by synchronising with OID's LDAP data. This applies to user creation, modification, removal and personal information, as well as permission-groups. OIM or OID continue to be the enterprise focal point for managing identities and their access rights, while their scope of control is now extended to manage access to privileged and shared accounts.
 
Enterprises must secure, manage and update both individual employee passwords as well as non-personal, administrative and super-user passwords, such as root on a UNIX server, Administrator on a Windows machines, DBA users on databases, and any application account used to connect to a database. However, while 99 percent of enterprises regularly change passwords for individuals, up to 42 percent of privileged passwords are never changed. The result? Costly outages, lost business, legal liability and inevitably failed audits.
 
That's why Oracle and Cyber-Ark are teaming to offer a single source for all enterprise password needs. Cyber-Ark's Enterprise Password Vault (EPV) enables organisations to secure, manage, automatically change and log all activities associated with all types of Privileged Passwords by:
 
Protecting: With EPV, you gain a secure Vault in order to store, protect and manage access to Privileged User Passwords at a centralised point. In addition, Cyber-Ark's patented Vaulting Technology utilises a fully integrated model of critical security layers, interwoven to meet the highest security needs.
 
Controlling: The unique access control and audit mechanisms of the Vault control and track any access to privileged accounts.
Complying with Audit Regulations: EPV makes it easy to create audit reports required by Sarbanes-Oxley, PCI and more, to easily track which users have access to privileged accounts, who accessed them, when and for what purposes.

Streamlining the management of Privileged accounts: EPV enables the instant and automatic changing of passwords for thousands of servers, network devices, databases and applications, including scripts and parameter files, based on enterprise policies. As changing passwords of such accounts is extremely complicated to be done manually, EPV provides an automated, smooth and robust solution.

CP: What are the top security hazards plaguing the industry currently?

CM: According to a report published in December 2006 by the U.S. Secret Service together with Carnegie Mellon University’s Software Engineering Institute CERT Program, eighty-six percent of people who carried out insider sabotage held technical positions and ninety percent had system administrator or privileged system access, which meant they held the passwords to over-ride the system and access the network!

Sally Hudson, research manager for IDC’s Security Services and Identity Management Products program and author of the report, comments on the privileged password dilemma "Our research shows that managing privileged passwords is a security conundrum," she says. "Not only do privileged passwords pose a security threat, but maintaining, storing, changing and monitoring privileged passwords and their users is an expensive and daunting task. In particular, there are thousands of privileged passwords at all levels – devices, embedded, laptops, etc. – and the cost of changing them on a routine basis is difficult to do manually in any effective way. IDC estimates that it takes approximately US $30 in man hours/labor to change the Sys-admin password on a single Microsoft Exchange Server.”

"IDC believes that the risk can be significantly mitigated by implementing policies which demand special treatment for privileged passwords,” according to Hudson. “These include the ability to disable an employee’s system access promptly upon employee termination; enforcing a company-wide password change on a regular basis and implementing reliable auditing and reporting systems. Furthermore, companies such as Cyber-Ark that offer a Privilege Password Management solution are well-positioned to assist organisations in preventing unwarranted insider attacks.”

CP: What are the challenges faced by the Indian security when compared globally?

CM: Being compliant has become a major focal point for most large organisations, but this for all practical purposes should be a goal for Risk Management and IT Security in every organisation. Regardless of external factors, those responsible for the integrity of the IT environment should be actively involved in ensuring that permanent staff, business partners, and contracted staff, who may have privileged user rights, comply with company policies when it comes to handling company assets.

For those organisations who also need to meet public standards, the level of media exposure that has resulted from high profile cases in the United States means that most people in the IT Security arena are familiar with Sarbanes-Oxley, Basel II, 21 CFR Part 11, PCI, Gramm-Leach-Bliley and HIPAA.

Additionally many organisations are adopting best practices by implementing standards such as ISO 27001 in order to ensure consistency across their enterprises. From an IT perspective what all of these regulations have in common is that they require the strengthening of internal controls related to the use of IT systems.

The importance of automation in tracking and reporting IT controls cannot be overstated. These tools are important in providing timely alerts by continuously collecting and alerting on events for any critical component within the IT infrastructure. Additionally they are an important factor in reducing the costs associated with collating the information.

For any organisation that needs to comply with standards, the IT security department in an organisation must be able to demonstrate to the rest of the organisation, and to those external parties that monitor the activities, that the effectiveness of IT controls are adequate.

Anyone who has been faced with an audit, either internal or external can attest to the resource demands that are placed on the IT organisation. This can be especially demanding when an organisation is present in different geographical locations. So the effectiveness of the controls and the reporting tools within the IT security departments are critical both to achieving a successful audit, and limiting the amount of resource that is required to deliver the necessary information. Ultimately you are answering the questions, do you have the important controls in place, have you implemented effective change management and if your access controls are effective – and of course can you prove it.

A major challenge facing organisations today is that regulations do not make allowances for unintentional errors, and human error is one of the biggest risks faced by companies, especially as pressure to reduce costs means that more and more tasks are being carried out by less staff.

Today almost all risk results from internal threats and because many organisations focus their investment in protecting against the external threat, they are often not adequately prepared to protect the internal risks. Any organisation that has an IT infrastructure relies heavily on databases, and database security practice will always be scrutinised very closely by auditors, including everyone or every process that access that database.
 
CP: How important is it to secure passwords on an individual level as well as on an organisational level? Is it equally important for small-sized or mid-sized businesses?
 
CP: For individual users authentication solutions such as PKI, RADIUS, should be used if possible to provide stronger authentciation. If passwords are the way of authenticating, individual users should be required to use physical devices such as encrypted USB sticks for passwords.

All inactive accounts should be disabled after 60 days and deleted after 90 days. This control is critical in large organisations, which can have hundreds of people come and go every few months. Meanwhile, the complexities of the HR process can make it hard to scrub inactive accounts from an AD environment. Throw in weak password policies, and you have the makings of substantial risk from inactive accounts.

Within an IT department, this issue takes on a whole new complexity since staff is frequently assigned new privileged user roles and the privileged user accounts that are used to access systems will never actually become inactive. For example it will frequently be the case that a particular privileged user administrative or privileged user account will not be accessed during a two-month period, but due to the nature of the account, the account can never be disabled or deleted.

However it is critical that the individuals who have access to these privileged user accounts be disabled/deleted if they are no longer tasked with responsibility, or have left the organisation. This becomes especially critical in outsourcing scenarios. Procedures should be in place to immediately notify the Security Administrator and report all significant changes in end-user duties or employment status. User access must be immediately revoked if the individual has been terminated. In addition, user privileges are to be appropriately changed if the user is transferred to a different job.










Calum Macleod, Cyber Ark
Disclaimer: No content may be used from this site without the written permission of the authors, Convergence Plus, Comnet Publishers Pvt. Ltd. and Exhibitions India Pvt. Ltd. The views expressed on this site are solely those of the authors and do not reflect those of Convergence Plus, Comnet Publishers Pvt. Ltd. and Exhibitions India Pvt. Ltd.