When it comes to managing privileged passwords, a common first mis-step is to import all Administrator or Shared IDs into a system built for managing human identities. The benefit of this approach is that you can quickly start to automatically update your organization’s privileged passwords. The negative? Your organization still has no way of assigning individual responsibility. For example, the reports will show that the “Administrator” identity downloaded your database of top clients at 1:47 AM Sunday morning. You won’t be able to tie that action – or its consequences -- to a particular individual.
To deliver true accountability, your system for Privileged Password Management (PPM) must tie individual identities to shared accounts. This is incredibly sensitive data – a hacker’s dream list of all your privileged passwords – so this information must be stored in an exceptionally secure place. IAM solutions are not designed to store sensitive data and typically partner with a PPM solution for the privileged accounts/passwords.
3. Apply Change Policies to Privileged Passwords
This may sound obvious, but you’d be surprised how often policies for privileged passwords are not as explicit as those for their human counterparts. For instance, you may now change the password on your laptop every 30 days, however surveys show that workstation has a 20% chance of NEVER having had the Administrator ID changed from its default (Source: Cyber-Ark Enterprise Privileged Password Survey.) In other words, if you lost your laptop, the finder may not know who you are or what company you work for… but they can search the web to find the default Administrator password that ships with a Dell Latitude D600. Within seconds, your laptop’s new owner will have more access to your systems than you do.
We suggest having an explicit policy that names all the password types uncovered during your privileged password internal survey and spelling out update policies for each. Best practices dictate that these policies are at least as stringent as those for individual employees.
4. Make Sure Privileged Passwords are Stored Securely
Again, this may seem obvious but it is imperative that organizations store their privileged passwords in the most secure vaulting system available. Placing the passwords in sealed envelopes, locked binders, within an encrypted file or on wallet-sized cards are NOT acceptable alternatives (and yes, I have seen all of these in use at real-world enterprises.)
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.