V Balasubramanian at ManageEngine reveals that many IT professionals in the Middle East demonstrate a worrying disregard for secure password management and urges the adoption of managed password solutions.
Though all IT organizations in the Middle East show serious interest in tightening security controls; when it comes to securing the privileged passwords, IT professionals seem to be not paying much importance, and are following flawed practices.
Real-time IT Management company ManageEngine’s interaction with a cross-section of the visitors at GITEX Technology Week, 2014 underway at Dubai reveals that organizations concentrate more on perimeter security and tend to ignore the most important aspect of privileged passwords security, which is fundamental to information security.
More than 70 per cent of the respondents said that they were storing administrative passwords, which grant unlimited access to IT assets, in plain text on volatile sources such as sticky notes, spreadsheets, printouts, and text documents. 35 per cent of the respondents said that they were either using the same password on many IT systems or were alternating a set of existing passwords on different systems.
More than 40 per cent of the respondents said that they were frequently sharing passwords among technicians through emails and phone calls. Only 9 per cent of the respondents said that they were changing the passwords of their IT systems once a month. Others were allowing passwords to remain unchanged for an extended period, though they change them at their own convenience. 90 per cent of the respondents said that they were conducting only manual audits to check if IT systems have been assigned with weak or factory default passwords.
Such flawed password management practices could make the organizations a paradise for hackers, both inside and outside the organization. Many security incidents and data breaches actually stem from lack of adequate password management policies and internal controls.
Identity theft often lies at the root of modern-day cyber attacks. To gain access to IT resources, cyber criminals use various techniques, including phishing attacks and obtain employee login credentials and administrator passwords. As organizations are drowning in an ever-increasing number of passwords, the risks involved are quite high. Especially, passwords kept on spreadsheets result in a host of security issues. Here are some high-risk factors and scenarios:
- Unrestricted or uncontrolled access— There is rarely any internal control on password access or usage. Technicians get unrestricted access to all the passwords.
- Unaudited access with no trace of “who” accessed— Privileged passwords remain impersonal in shared environments. Mistakes, whether accidental or deliberate, can never be traced to the offender. There is generally no way to track “who” accessed “what” and “when.” This allows people to remain unaccountable for their actions.
- Temporary access becomes permanent— Passwords are given out orally or by emails to users who need a privileged password on a temporary basis. Such a practice can be huge security hazard when there is no process to revoke temporary access and reset the password after usage.
- Technician leaves the organization, takes the passwords— When a technician leaves the organization, the technician may take a copy of all the passwords. The only solution to such a scenario is to change all the privileged passwords of all the clients.
- Passwords fall into malicious hands— If the text file or spreadsheet containing the administrative passwords reaches a malicious individual, client networks could be in jeopardy.
- Passwords remain unchanged for ages— Passwords of even the most sensitive resources like firewalls remain unchanged to prevent lockouts. Manually changing the passwords of thousands of resources can be time-consuming. Worse, most resources are assigned the same, non-unique password for ease of coordination among administrators.
To combat ever-increasing cyber attacks, organizations should focus on securing privileged passwords, controlling and monitoring privileged access, and adopting stringent security best practices. They can easily achieve a high level of security by using privileged password management solutions. In the absence of an appropriate management tool, password management can become quite cumbersome.