The goal of any security program is to stop or mitigate a threat. To resolve the administrative credentials security threat, you must regularly change the administrator passwords. And then make each password unique.
In many of the IT shops I’ve seen, all the systems have the same administrator account name and the same basic password. And, in most of these cases, this password has not been changed since the systems were deployed.
…whether you are an individual with a new year’s resolution to get to the gym or an enterprise seeking to improve security, achieving your goals can be difficult without knowing the individual steps needed to move forward.
The important thing to know is that Identity and Access Management (IAM) systems generally don’t provide either PIM or PUM capabilities since privileged identities are associated with hardware and software assets, and not with the individual user identities controlled by IAM.
Paul Roberts posted an interesting story on Threatpost about the limitations of conventional password security.
Hackers, as part of their initial intrusion, will extract all of the passwords stored and used on the compromised machine, decrypt them at their leisure (see Rainbow Attack), and then come back into a company’s systems via the initially compromised machine and use these credentials to access virtually every system in the company. From there, the attacker can plant more collection software in a matter of minutes. This is known as the common administrator password flaw, and this is how the famous Conficker virus spread.