After organizations suffer repeat IT security audit failures their management (primarily CSOs and CISOs) often ask us how to remediate the findings. The good news is that technology exists that can quickly bring real accountability to DBA accounts…
The truth is that privileged identity management (or privileged account password management) software is not a commodity and should not be purchased based on checkboxes and up-front fees alone.
Use of a password vault might keep the privileged identity problem out of sight from auditors, but it disguises the fact that the spreadsheets often contain never-changing passwords known to too many individuals inside and outside of IT.
The proposed Lieberman-Collins bill S 3480 “Protecting Cyberspace as a National Asset Act of 2010” has been criticized in the mainstream media as insufficient for securing US infrastructure from cyber attacks. The critics don’t seem to realize that the legislation is not intended to be an all-encompassing bill. Securing cyberspace will require more than a single piece of legislation. This bill represents no small step, and in light of the present threat environment it’s a great beginning.
Hackers, as part of their initial intrusion, will extract all of the passwords stored and used on the compromised machine, decrypt them at their leisure (see Rainbow Attack), and then come back into a company’s systems via the initially compromised machine and use these credentials to access virtually every system in the company. From there, the attacker can plant more collection software in a matter of minutes. This is known as the common administrator password flaw, and this is how the famous Conficker virus spread.
Safeguarding a cloud infrastructure from unmonitored access, malware and intruder attacks grows more challenging for service providers as their operations evolve. And as a cloud infrastructure grows, so too does the presence of unsecured privileged identities
Security awareness operates on a principle where companies are only willing to fix their problems when they are being fined, or when their lack of security lands them in the newspaper. But, just as memories fade in time, the commitment to security fades quickly when breaches blow over and everyone moves on. Hopefully, more companies will begin to realize that regulatory compliance and IT security are not necessarily the same things.
There’s just too much misinformation out there about securing application credentials.
In general, there are plenty of governance and compliance frameworks that minimize risk and improve operational security and reliability. But true security is an ongoing strategic imperative that requires a fundamental shift in IT operations.
All too frequently these hard-coded credentials create an ASP.NET security hole because they grant unlimited access to corporate databases or are super-user (root and administrator) accounts with unlimited, domain-wide access.