Before Edward Snowden there was Terry Childs. The original poster boy for everything that can go wrong when an organization doesn’t lock down and audit access to its powerful privileged passwords. From insiders as well as outsiders.
Childs, you may recall, was a City of San Francisco network administrator who made headlines five years ago after refusing to give his bosses the administrator passwords that granted access to the router network he helped build. His stubborn showdown with management supposedly stemmed from fear of a pending termination.
As a result, the city of San Francisco had no administrative control over its FiberWAN for 12 days. According to the Assistant District Attorney who prosecuted Childs, it cost about $900,000 to clean up the mess.
Childs was back in the news this week after a California appeals court upheld his four year prison sentence.
As with the now infamous Snowden affair, this unfortunate incident could have been prevented – or at least significantly minimized.
Control Privileged Access
Privileged accounts are often referred to as “the keys to the IT kingdom” for a reason. These “god” accounts allow anyone who knows the account passwords to access systems that contain sensitive data, install or remove programs, and reconfigure systems.
It’s astonishingly common in both corporate and government networks to share these administrator passwords across multiple systems. It’s also common for them to remain unchanged for extended periods of time, and used without any access control or audit records. Bad policies all.
Here’s a better idea. Get control over privileged accounts. Start by generating unique and complex passwords for every individual account on the network. And then change these passwords frequently (no more shared or static passwords). Then, make sure you’re securely storing current passwords and making them available only to delegated personnel, for audited use, for a limited time (no more anonymous and unlimited privileged access – for anyone).
Better still – automate the entire process with an enterprise-level privileged identity management solution. Otherwise expect the next Terry Childs or Edward Snowden type insider threat soon.
To learn more about privileged identity management follow us on Twitter.