For those of us that make a habit of catching the nightly news, each day often seems like a replay of the previous: “Major Data Breach of Huge Corporation, details at 11.” And then you ask yourself, “could this happen to my organization?”
Well, it can and probably will if you don’t take the proper precautions now. Ensuring strong access controls around your organization’s information resources could prevent many of the breaches that occur today. More importantly, you must control access to your privileged accounts. These accounts govern the most important information assets in your organization. In the wrong hands, your privileged accounts represent your biggest threat.
The most damaging cyberattacks occur when privileged credentials are stolen, giving attackers the same level of access as the internal employees who manage your information systems. This puts your organization at the mercy of your attackers’ nefarious intentions.
Privileged Credential Security and Compliance
Securely managing your privileged passwords is essential to controlling access to your most crucial accounts. Privileged password security (also called privileged password management) is a type of password management used to secure the credentials for login IDs that possess elevated security privileges.
Today, it’s essential to implement and enforce password protection policies, not only to prevent unauthorized access, but also to meet a growing litany of compliance mandates. An organization’s compliance, regulatory, and internal drivers will vary based on their specific industry and market. Some prominent regulations affecting many organizations include (to name a few):
- Sarbanes Oxley (SOX), which impacts all public companies in the US and internationally if doing business in the US. SOX audits focus on how the enterprise is able to secure and assure complete accuracy of financial information and disclosure.
- Payment Card Industry Data Security Standard (PCI-DSS) - though not a government driven regulation, PCI-DSS enforces standards across organizations that store, process, and/or transmit cardholder data.
- Gramm-Leach Bliley Act (GLBA) requires that “financial institutions” provide adequate protection around customer data.
Updating Privileged Password Management Practices to Meet Modern Threats
While protecting privileged credentials has been a concern for many years, traditional password security practices were manual and immature. Some of the common, early password management tactics used include:
- Physically storing and controlling passwords. I can remember when privileged passwords were written on paper, sealed in an envelope, and stored in a safe, with a custodian controlling access. This process-based solution was referred to as a ‘firecall ID.’
- Using an application to store and control the password. Privileged passwords were stored in an excel document, word document, or database until needed.
These methods had some obvious problems. The envelope method is impossible to scale and is totally manual, requiring a process to ensure that an accurate inventory was maintained. Application-based solutions were not designed for trust and accountability, and suffered from security issues associated with storage and access.
Next, came a number of commercial technology-based solutions:
- Identity management solutions, which attempt to reduce the number of passwords you are required to manage by allowing technology to create a mapping of a single credential to multiple credentials. However, these solutions don’t address the shared administrative accounts issue. Because shared accounts are not ‘owned’ by any one individual, there is no way to reduce the number of required IDs.
- Self-service password reset tools, which attempt to allow users to reset an unknown password using a known password. This hypothetically could help with the shared administrative accounts problem since the admin account could have a new password generated when needed. However, this approach requires the target system to be functioning in normal multi-user mode with network accessibility. In many cases, the shared administrative account is needed to restore a system that has ceased to function normally.
- Password storage tools, which provide an alternative to envelopes, but don’t address the issue of managing the account on the target system. While solving part of the problem, they eliminate the majority of the manual processes needed to update and manage the target account.
6 Tips for Protecting Your Privileged Passwords
When it comes to ensuring robust protection for your privileged credentials today, apply these six tips:
Tip 1: Use 2-Factor Authentication (2FA) or Multi-Factor Authentication (MFA)
A password is a single factor of authentication. The type of account or information the password is protecting should determine what additional security controls you may need. For privileged accounts, 2FA of MFA should always be used along with a password.
Tip 2: Create Long, Strong & Complex Passwords
The strength of a password comes down to how easily someone can guess your password using brute force or cracking attacks. So, when creating a password, make it unique and one that is not easily guessable. Make your passwords at least 8 characters long, but the longer, the better. Also, I recommend that you consider using passphrases, which are a combination of words that you know and only a few special characters like ?%&@!), instead of passwords. A long, strong passphrase combined with 2FA is going to be the best protection for your accounts. For more rules on how to create robust privileged credentials,check out this infographic.
Tip 3: Use a Password Manager
If you have many accounts and passwords to protect, you should use a password manager to secure them. A password manager helps track the age of each password, lets you know what additional security controls have been applied, and helps generate complex passwords for all your accounts. With the password manager, you only need to remember one strong password.
Tip 4: Use Encryption and Don’t Trust Anyone
Even if you use strong passwords or passphrases, it is still a responsible security practice to encrypt your critical information. Also, don’t trust ANYONE with your passwords. Even the most trusted individuals can screw up.
Tip 5: Password Age
Establish a regular rotation cycle for your passwords. The best practice for systems passwords is to rotate the passwords as frequently as required. A password manage can allow you to easily automate this process. My recommendation is to rotate passwords at least between 6 and 9 months. However, the more sensitive the password, the more frequently you should rotate it.
Tip 6: Use a Privileged Password Management Solution
Finally, this is my MOST IMPORTANT tip for you. With a privileged password management solution, you can create, share, and automatically change enterprise passwords. You can assign user permissions at any level, and track password usage with full audit reports. Privileged account management, also known as PAM, can be used to improve insights into vulnerability assessments, IT network inventory scanning, virtual environment security, identity governance and administration, and behavior analytics. If you pay close attention to your privileged account security, you will be able to safeguard your organization in the most efficient and effective way possible.
As compliance regulations and audits continue to expand, the tolerance for manual or process-driven solutions to the management and control of privileged accounts and passwords becomes increasingly untenable. PAM systems will unquestionably make your organization more secure. Do this now, because it is truly a question of when—not if—your privileged accounts will be compromised.
For a deeper dive into the basics of privileged password management, watch my on-demand webinar: Privileged Password Management 101: Laying the Foundation for Success
Derek A. Smith, Founder, National Cybersecurity Education Center
Derek A. Smith is an expert at cybersecurity, cyber forensics, healthcare IT, SCADA security, physical security, investigations, organizational leadership and training. He is currently an IT Supervisor at the Internal Revenue Service. He is also owner of The Intercessors Investigative and Training Group (www.theintercessorgroup.com). Formerly, Derek worked for several IT companies including Computer Sciences Corporation and Booz Allen Hamilton. Derek spent 18 years as a special agent for various government agencies and the military. He is also a cyber security professor at the University of Maryland, University College and Virginia University of Science and Technology and has taught for over 25 years. Derek is retired from the US Army and also served in the US Navy, and Air Force for a total of 24 years. He is completing his Doctorate Degree in Organizational Leadership and has completed an MBA, MS in IT Information Assurance, Masters in IT Project Management, and a BS in Education. Derek has written several books including Cybersense: The Leaders Guide to Protecting Critical Information, and its companion workbook, and he has contributed to several other books as an author and technical adviser.