It’s been an active season for criminal hackers, rogue IT administrators and others with vindictive motives and the ability to exploit weak and outdated security systems. Let’s recap with a look at just a few of the security breach fiascos we’ve seen in recent months:
- A vengeful fired IT administrator logged into his former account, deleted 15 virtual machines and inflicted an estimated $800,000 in damages;
- A Bank of America employee leaked hundreds of customers’ confidential account information to scammers, resulting in more than $10 million in losses;
- Hackers broke into the PlayStation Network and made off with the personal information of more than 77 million members – an incident that’s been called the fifth largest data breach ever.
I could easily list a dozen or more similar examples, but I won’t. Since you’re reading this blog these security breaches are old news to you. You’re most likely aware of the risk that determined criminal hackers outside your organization, as well as malicious (and mistake-prone) insiders can pose to your confidential data, regulatory compliance status and reputation.
And to take the severity of the situation a step further, Roger Grimes points out in a recent column that a striking difference between the breaches in today’s headlines, versus those from years past, is the sophisticated level of criminal attack motivated by financial gain. Gone are the days when most hacks were mere nuisance events with little, if any, harmful impact.
“We are in a new computer security world now,” Roger writes, and I agree. We all realize that we’re well past the age when an IT group could run antivirus software, put up a firewall, update Windows patches and thereby maintain a tolerable level of security.
However, based on my years of experience working with some very large and prominent enterprises, I’ve learned that there are some frequently overlooked security practices that organizations could begin implementing today in order to increase their security postures quickly. Here are several suggestions for maintaining tight control over critical systems and data in the modern enterprise:
Employee Only Access: As the Shionogi story proved, just because you terminate a troublesome IT administrator doesn’t mean you’ve seen the last of him. Dismissing a wayward employee is more than an HR formality. Particularly for IT staff, once you’ve decided to part ways with an employee you must immediately revoke any logins that might be used to access your organization’s systems. Pay particular attention to privileged account access that IT personnel use to install systems and applications, change configuration settings, and generally obtain free reign throughout the IT infrastructure.
Document Access Points: Shutting off privileged access to former employees and contractors is one thing, knowing exactly what needs to be shut off is a different matter. Privileged accounts reside on almost every server and workstation operating system, line-of-business application, database, Web service, and hardware appliance in the IT infrastructure. Yes, there a lot of them. If you’re in a large organization, you most likely have thousands of such accounts, including some that you don’t even know are there. But each one of these accounts represents a potential point of vulnerability into your network. So find them, track them and keep the list current.
Beyond Password Management: You probably have a password policy for user logins – complexity, change frequency and so on. That’s important, but if you’re not managing privileged passwords, the logins for the powerful privileged accounts described above (including process and service accounts that human users may not even see), you’re not going to prevent the types of serious, criminally organized data breaches mentioned at the beginning of this post. Once you’ve documented where the privileged accounts reside in your infrastructure you need to set up each account with its own unique and cryptographically complex password and then track access.
Prove It: How do you track access to privileged accounts? With detailed reports that show which IT admins use privileged account passwords, when and for what purpose. By maintaining this level of oversight on privileged access, you’re not only discouraging abuse of these accounts, you’re providing an audit trail leading back to the precise cause if a problem does occur. These reports should be run frequently, made available to IT management and executive staff, and be accessible on demand to regulatory compliance auditors.
Limit Exposure: Keep your privileged account passwords available only to audited users on a need-to-know basis. With time-limited access and frequent changes to passwords, there are no static passwords available on sticky notes, shared spreadsheets or in a sys admin’s memory. And that means no tricky social engineering exploits or rogue IT personnel can use knowledge of a privileged account password to wreak mayhem in your network. Take it even one step further and use remote logins so that your delegated users and contractors never actually even see the passwords that grant them elevated access.
All of this may seem like a daunting endeavor, but consider the ramifications if you were involved in one of the high-profile, costly data breaches discussed at the top of this post. No one can predict where the next attack may be perpetrated, so incorporating these measures into your existing security practices could prevent a tremendous amount of turmoil for you down the road.
Of course I’d be remiss if I didn’t tell you that there are privileged identity management solutions available now that can automate all of the functionality I described above.