Where I come from there is an old saying that goes something like this: If you don’t like the weather, just wait five minutes. But while the weather might not change as frequently where you are, there is one thing that should change more frequently: Your privileged passwords. Why? If you’re like more than 25% of companies out there, then your current IT environment contains unmanaged accounts putting you at risk of data breaches and compliance violations, and you don’t have a process to control those accounts..
To check, ask yourself these two questions:
- When was the last time your organisation’s privileged account passwords were rotated and randomised (e.g., local or domain shared administrator accounts; users’ personal admin accounts; service, operating system, network device, database (A2DB) and application (A2A) accounts; or even SSH keys)?
- Regardless of your answer to the first question, are you confident that every privileged account is managed, and that there are no rogue accounts with old, outdated passwords?
Across all industries, it’s absolutely crucial to be aware of how old your privileged account passwords are, and to change them on a regular basis. For example, 79% of respondents believe privileged users access sensitive and confidential information out of simple curiosity.
Take a look at the Anthem, Sony, Target, Home Depot, JP Morgan and eBay breaches from late 2013, 2014 and 2015:
- Anthem Health Insurance: 80 million individuals, whose names, emails, phone numbers, and addresses had been stolen.
- Target: 70 million individuals – compromised by a phishing attack on a third-party supplier with privileged credentials to the Target network. Malware was deployed and settled in the POS system gaining access to payments data.
- Home Depot: 53 million individuals @ a cost of $148 million to fix – another third-party vendor’s user name and password.
- JP Morgan: 76 million households and 7 million businesses – compromised through a single employee’s password.
- eBay: 145 million accounts compromised – attackers compromised a small number of employees.
- And then the infamous Sony Pictures breach – the hackers claim to have taken over 100 terabytes of data from Sony. In first quarter financials, Sony Pictures set aside $15 million for legal fees. Not to mention lost revenue from The Interview. And that’s just the beginning.
Despite these high-profile breaches, it’s clear that organisations are still playing catch-up when it comes to reining in their passwords. According to our own recent survey of 728 IT decision makers, 51% of respondents without a privileged access management policy in place, manage passwords “individually.” This could include users sharing passwords on an ad hoc basis, or simply by memory. 35% indicate that shared passwords are controlled “locally,” including in spreadsheets, password vaults, SharePoint, PostIts, and Active Directory.
Consider the potential security and compliance ramifications of these three scenarios on your organisation:
- Former employees. When an employee with privileged access leaves the company, he or she won’t just forget their old passwords. Whether leaving on a good note or not, former employees pose a threat to your organisation’s protected information.
- Outsider Threats. Static passwords present an open door for hackers to use brute force tactics to access a company network—which aids them in faster in-and-out attacks that can go unnoticed for months.
- Insider Threats. Only certain employees should have access to privileged systems and data, and it would be foolish for IT administrators to put faith in their employees to self-manage their access. The moment a password is written on a Post-It, shared with another employee or saved to a Word document, it becomes a security and compliance liability for the entire organisation.
Go look out the window. Is the weather different than when you started reading this blog? Wouldn’t you say that changing privileged passwords should be more frequent than that? If you’re interested in preventing static passwords from putting you in the headlines, request a free trial of our privileged password and privileged session management solution today!
Editor’s Note: The above post was originally published in September 2014. It has been revamped and updated for accuracy and timeliness.
Scott Lang, Sr. Director, Product Marketing at BeyondTrust
Scott Lang has nearly 20 years of experience in technology product marketing, currently guiding the product marketing strategy for BeyondTrust’s privileged account management solutions and vulnerability management solutions. Prior to joining BeyondTrust, Scott was director of security solution marketing at Dell, formerly Quest Software, where he was responsible for global security campaigns, product marketing for identity and access management and Windows server management.