We`re bombarded by statistics every day of our lives. For example, I have just learnt that 25% of drivers using satellite navigation have driven a one-way street the wrong way by accident. It`s little wonder, then, that many people tune out from the barrage of numbers or treat them with scepticism.
Over the past couple of years, there has been an endless stream of figures about the threat that insiders pose for information security - yet the vast majority of IT security officers appear to be oblivious to them. One statistic that can`t be argued against is that right now at least one organisation somewhere in the world is becoming the victim of the malice, the neglect or the outright stupidity of a member of its IT staff.
Over the past few months, there have been numerous instances of IT staff abusing their privileges throughout the world from South Africa to San Diego and San Francisco. The problem springs from a lack of control and proper process within the organisation.
In the case in San Diego, an IT specialist deleted patient and allied data from his former employer`s computer systems. In San Francisco, a computer network administrator for the Department of Technology tampered with the network, which contains the city`s sensitive data, and created an administrative password that gave him exclusive administrative access. It will reportedly cost millions to fix.
According to the Burton Group: "Privileged accounts can bypass most internal controls to access confidential information and cause denial of service attacks either by deleting data or rendering applications inoperable. In many cases, unauthorised users can use privileged accounts to cover their tracks by destroying audit data."
The challenge is to ensure proper use of such privileged accounts. The challenge, as articulated by Gartner, is that "Shared superuser accounts, which are generally system-defined in operating systems, databases, network devices and so on, pose significant risks when the passwords are routinely shared by multiple users. So, too, do shared firecall accounts, which are used to deal with critical problems outside normal working hours, when passwords are managed using fragile manual processes."
Forrester states in a recent report that "to manage shared account passwords in a controlled and accountable way, an organisation must first establish an appropriate process. Spreadsheets, sealed envelopes, printouts, sticky notes, and other old-fashioned ways of managing access and passwords on sensitive systems don`t scale, don`t provide sufficient levels of security, and don`t provide enough auditing details that today`s auditors require."
Thanks to the work of analysts and the recent plethora of regulations, internal IT practices are increasingly coming under the scrutiny of auditors. Whatever sector you find yourself in, the likelihood is that you will be required to submit to a compliancy and regulatory audit.
An audit will use your policies and test their effectiveness. Improper policies will result in non-compliance, and not adhering to the policy will certainly result in non-compliance. Responsiveness to auditors` requests demonstrates effective controls, so it is essential that an organisation has the processes in place to ensure timely responsiveness. Delaying or not responding to audit requests will result in a failure.
So what is the auditor going to be looking for? Some pointers based on past experience might help:
* Make sure that you have an automated reporting system. Writing changes on paper will not be well received.
* Categorise systems based on how critical they are and the sensitivity of the data that may be stored. Ensure you are able to prove that your policies allow for: automatic password changes on a regular basis; passwords to be changed automatically when requested; passwords to be changed automatically after a short amount of time after checkout, e.g. 30 minutes; passwords to be changed automatically between each usage and that if required only one person at a time can have access; showing that you are able to verify the passwords on a regular basis to ensure that no unauthorised change to a password has occurred.
Compliance shouldn`t be your only concern, however. You should also be thinking about the reputation and financial health of your business. An organisation somewhere is currently suffering from improper use of its systems due to the misuse of privileged accounts. That`s a stat you can be sure of.
NGS is Cyber Ark`s distributor in SA.
Share