Vulnerabilities / Threats
10/19/2011
08:48 AM
Connect Directly
RSS
E-Mail
50%
50%

Are Your IT Pros Abusing Admin Passwords?

One in four IT professionals know of a coworker who has used privileged credentials to snoop. Worse, 25% of superuser passwords don't pass basic security test.

10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
One in four IT professionals say they know of at least one IT co-worker at their business who's used privileged login credentials to inappropriately access sensitive information. Furthermore, 42% report that IT staff freely share passwords and access to multiple business systems and applications.

Those findings come from a survey of 300 IT professionals--two-thirds of them working for businesses with 10,000 or more employees--recently conducted by Lieberman Software, which sells privileged identity management software.

When it comes to securing systems, experts recommend using long, random passwords that mix character types (uppercase and lowercase letters, symbols, and numbers), never reusing a password, and changing passwords with some frequency. But many end users fail to follow those recommendations unless faced with systems that automatically enforce password rules.

Interestingly, the survey found that the same holds true for many businesses' IT departments. In particular, 25% of survey respondents said that at least some of the superuser passwords that grant all-access rights to hardware, applications, or databases were less complex than the business' end-user password policies required. Furthermore, since many of these superuser passwords were shared freely between employees, spotting inappropriate, administrator-level access to sensitive data and tracing it back to the person responsible would be difficult.

[The feds are cracking down to force companies to disclose security breaches. Learn more: SEC Mandates Cyber Incident Reporting.]

Password sharing, however, arguably masks a bigger challenge, which is the sheer number of systems with which IT personnel must interact on a daily basis. Notably, the survey found that half of IT managers are asked to remember passwords to 10 or more systems. In such a scenario, aren't password management shortcuts inevitable?

"The issue has to do with the proliferation of systems, and the IT groups not having the resources to manage what's on their plate," said Philip Lieberman, president and CEO of Lieberman Software, in an interview. "This is an issue involving lack of adoption of technology, but also a lack of awareness at a senior level as to how bad the problem has gotten."

Many IT departments also take shortcuts when it comes to handling hardware and software that ships with well-known, default passwords. "Let's say you buy 20 switches from Hewlett-Packard, these switches come with a default account and password, and IT might install all of them and leave them with the factory defaults," he said. "Or say you buy Cisco switches and change their password, but you change all the switches to have the same password. So when someone leaves the company, or a device ends up on eBay, someone has the password to every switch. Or if a hacker breaks into one machine, figures out the password by cracking one hash, they get the password to all of the machines."

A related challenge is that administrator-level passwords may be changed infrequently, if at all. For example, 48% of survey respondents reported that privileged account passwords at their business had remained unchanged for at least 90 days. As a result, former employees may still know the passwords to key systems.

Might a failure to change passwords put a business in violation of various regulations, such as Sarbanes-Oxley, or the Payment Card Industry Data Security Standard? In general, regulations leave password policy specifics up to the business. That said, many auditors will advocate meeting regulatory requirements via an IT governance framework, such as COBIT (for control objectives for information and related technology), which recommends a number of password-related security measures, including changing initial passwords immediately upon first access.

"Some organizations take the auditor's report seriously," said Lieberman. "Others play shadow puppets and say we've done the best we can do. Others view it simply as a cost, and say, we'll take the risk."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
10/24/2011 | 9:37:20 PM
re: Are Your IT Pros Abusing Admin Passwords?
Keeping track of super user accounts is important for security. I know of situations where people who had no business with admin rights were able to access things they shouldn't have using accounts that may have had a purpose when they were created but basically had been forgotten about instead of retired (eg, former employees who left the business, guest accounts, etc).
Brian Prince, InformationWeek contributor
TFoire
50%
50%
TFoire,
User Rank: Apprentice
10/19/2011 | 9:02:31 PM
re: Are Your IT Pros Abusing Admin Passwords?
Thanks for your comment Ralph.

However, fast user switching seems like a good idea until you get so many people logged on the your system that it is unusable. We have the choice of either disabling FUS or having an admin periodically visiting all these stations and logging users off.
Ralph124
50%
50%
Ralph124,
User Rank: Apprentice
10/19/2011 | 8:47:44 PM
re: Are Your IT Pros Abusing Admin Passwords?
LINUX, Windows (Vista) and OS-X all allow switching users from a locked screen. I suggest updating clients. If Windows is more secure than your current system, you need to do some work.
TFoire
50%
50%
TFoire,
User Rank: Apprentice
10/19/2011 | 5:46:40 PM
re: Are Your IT Pros Abusing Admin Passwords?
Passwords are shared because, more often or not, they have to be.

For example: We have shared computers throughout our hospital. HIPAA requires systems to be locked when not in use so we have GP set to lock them automatically. The problem is that only the current user or an administrator can unlock the system. Usually the current user is nowhere in sight. The choice is to give users admin privileges, share passwords or use products like Unlock Administrator ( http://www.e-motional.com/ULAd... ) give regular users the ability to unlock systems. The first option is bad, the second debatably worse and the third is not free. Pick your poison.

T
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.