So who can have access to information, and why in spite of all the security that organisations have in their IT infrastructure is this still a daily occurrence? In a recent Cyber-Ark survey of large enterprises over 50% of organisations admitted to rarely if ever changing the passwords for shared accounts in their infrastructure.
In general it appears that security staff are unaware of the extent of the risk. Most are under the impression that privilieged identities are limited to a few systems or processes in an organisation. And yet even a cursory glance reveals that in most enterprises shared accounts which require passwords constitute more than 50% of all accounts in the enterprise.
The result is a class of credentials that are open to abuse and mismanagement. They are not being changed frequently according to the enterprise policy, mainly due to the overwhelming operation that must take place after their change – notifying administrators, changing scripts and applications and setting the passwords in services that use them. There is no accountability for their use – since they are commonly shared. They are often weak and easy to remember. And as a result of the above, the enterprise is regularly driven to set the same password for hundreds or thousands of accounts – making them extremely prone to the domino affect. All of that makes the non-personal users a real vulnerability and substantial threat to any enterprise.
Even more revealing was the admission that although 99% of enterprises enforced password changes for users on their PCs, only 1% changed the administrator password on the same device, and in the vast majority of cases the administrator password was the same on every PC in the company. In many enterprises today the task of system management has been outsourced, including the installation and provisioning of employees workstations, with the result that these administrative passwords are controlled by third parties.
How often, for example, are users forgetting passwords and asking for IT support to help them reset, and then carrying on doing their work totally oblivious that their every action is now vulnerable to being monitored?
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.