- Apathy - Specifically, among password practices, organizations believe that the threat level is highest for users sharing passwords with other users (79%). While organizations are generally well aware of the perils of sharing passwords, a relatively large number of respondents, 22%, report that bad password practices still persist.
- Greed – The practice of allowing users to run as administrators on their machines is recognized by study respondents as the highest threat level (71%) among privilege management malpractices. Although the risk is recognized, an astounding 38% of respondents report that it is still common for users to run as administrators on their machines, and 22% of respondents say this practice has caused downtime. Why are end-users still allowed to have administrator rights when it is a basic security hygiene to remove all excessive privileges?
- Pride - 18% of respondents claim that attacks that combine privileged access with the exploitation of an unpatched vulnerability are common. When combined with eliminating local administrator rights on end users’ machines, properly patching system vulnerabilities can close off most of today’s commonly reported attack vectors like ransomware. These threats thrive on system weaknesses and excessive access rights in order to move laterally.
- Ignorance - 68% of respondents consider least privilege on Unix/Linux an important PAM function. While 86% of respondents believe their Unix/Linux environments have the highest level of protection, 54% of respondents still run Sudo on at least one Unix/Linux server, and 39% still run it on workstations. Respondents report that Sudo shortcomings include that is time-consuming, complex, and lacks policy version control and synchronization making it a poor security practice.
- Envy - A surprising 37% of respondents report that they are not extending protection to SaaS applications and new cloud initiatives. Privileged access must be secured consistently across all resources and there is a form of envy that the cloud just does not need these initiatives; that is just not true.
Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust
Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.