Privileged Identity Management News Line February 2011

Top of Mind

Security Secrets Your IT Administrators Don't Want You to Know
An Infosecurity Commentary

Philip Lieberman President & CEO
Lieberman Software

As valued members of your organization, IT administrators work every day to keep your infrastructure up and available. But in today’s rush to contain operational costs, your IT administrators could be taking more shortcuts than you’d expect. And perhaps no aspect of IT suffers more from cutting corners than security.

Here are five facts about IT security that your administrators probably don't want executives and employees to know.

Most Passwords Never Change
Sure, regulations may call for frequent password changes on all accounts in your infrastructure. Even though your IT administrators may be tasked to change passwords on a regular basis, your organization probably lacks the automation to reliably change what could be thousands of the passwords that matter most.

Sensitive accounts such as administrator logins, embedded application-to-application passwords, and privileged service accounts often keep the same passwords for years because IT staff may not have the tools to track and change them. And, because systems and applications often crash when IT personnel attempt to change interdependent credentials, many of your organization’s most privileged logins can go unchanged for extended periods of time.

Ad-hoc change processes and handwritten scripts might succeed in updating the passwords of some types of privileged accounts, but unless your organization has invested in privileged identity management software, you can bet that many of the passwords that grant access to your organization’s most sensitive information are never changed. This means that access to this data will continue to spread over time.

Too Many Individuals Have Too Much Access
Regardless of your written policies, highly privileged account passwords are almost certainly known to large numbers of IT staff. For the sake of convenience, chances are these logins have been shared with individuals outside of IT.

As a result contractors, service providers, application programmers, and even end users are likely able to gain privileged access using credentials that may never change. Unless you’ve got technology in place to track privileged logins, delegate access, and change these powerful credentials after each time they’re used, then you’ll never know who now has access.

Your CEO’s Data Isn’t Private
With all the recent headlines about corporate and government data leaks, you might still be surprised to know how many individuals have access to the files on your executive’s computers, and to the data resident in the applications that senior managers use every day. Anyone with knowledge of the right credentials can gain anonymous access to read, copy and alter data.

In many cases these credentials are known not only to senior IT managers, but also to IT rank and file and others. It’s more than likely that your $12-per-hour help desk workers have access to more sensitive data than does your CFO. And your subcontractors located around the world? It’s likely that they can access the CEO's account, too.

IT Auditors Can Be Misled
If your administrators know about security gaps or failed policies that your IT auditors haven’t discovered, then they’ll likely try to take the knowledge to their graves. IT staff have limited time to complete higher-visibility projects that influence performance ratings and paychecks, so in most cases you can forget about them fixing any security holes that your auditors fail to notice.

Security Often Takes a Back Seat
Is your IT administrators’ pay structure tied to security? No? Then they’re probably not as proactive as you might expect when it comes to securing your network. Most IT administrators won’t tell you about the security vulnerabilities they discover in the course of their jobs because they’re not paid to fight losing battles to gain resources necessary to close each security gap.

Because pay packages are rarely tied to safeguarding your network, your IT administrator is also probably not taking the initiative to update his or her technical skills when it comes to security. As a result, even when budgets allow for purchases of new security technologies, your staff may have no clue how to effectively use these new tools.

Bring IT Into Balance by Enforcing Accountability
Fundamentally, the security of each organization hinges on how well IT balances convenience with controls and accountability. All too often IT is given free reign to operate under its own rules when it comes to security and resists working under the same types of controls that apply to others in the organization.

Those organizations that work to bring IT into balance – introducing accountability through segregation of duties and adequate auditing controls while providing sufficient resources and incentives to provide proactive security – will come out ahead.

What do you think? Email me at: phil@liebsoft.com.

Tech Tip of the Month

Lock Out Malicious Software and Unauthorized Programs

User Manager Pro Suite is well known for its ability to modify and report on numerous security configuration settings on multiple Windows machines collectively. But did you know that one of its most valuable attributes is its patented technology to block malicious software and other unauthorized applications from executing on client systems? Here’s how.

Events / Press / Analysts

RSA Conference. February 14-17, 2011. San Francisco, CA. Stop by our booth: # 529.

Microsoft Management Summit. March 21-25, 2011. Las Vegas, NV.

InfoSec 2011. April 18-20, 2011. Orlando, FL. Visit us at Booth 308. Get 10% off your registration by using the code OS11/VDIS when registering!

Microsoft Tech-Ed North America. May 16-19, 2011. Atlanta, GA.

Lieberman Software Marks Record Growth in Privileged Access Technology Market. Company achieves significant growth in new products, partnerships and customers, setting record sales in 2010, with year-over-year revenues increasing nearly 40% and new business sales rising 62%.

Partner Demo: Lieberman Software – Enterprise Random Password Management Integration with SCSM. TechNet Blogs > System Center Service Manager Engineering Team Blog. This is great for incident management scenarios when someone needs to go fix a system but you don’t want them to necessarily have carte blanch access to the sensitive account all the time. This integration with Service Manager make it easy to associate password check outs with particular incidents for traceability. Further it will log any event in the ERPM system you choose in to SCSM as an incident. For example, you could generate an incident based on a failed login.

Lieberman Exposes Super-User Activity to SIEMs. IT Jungle. Organizations can feel a little more secure that their IT workers aren't abusing powerful user profiles as a result of integration work done by Lieberman Software and Q1 Labs. The two security software companies teamed up to ensure that every use of Lieberman's Enterprise Random Password Manager is tracked by Q1 Labs' security information and event management (SIEM) software.

What are banks not telling us about card fraud? Help Net Security. Reports that a Russian hacker has pleaded guilty of ripping off WorldPay, the online transaction processor, to the tune of $10 million, have met with a grim smile by Lieberman Software.

A Glaring Lesson In Shared Passwords. Darkreading. Vodafone's embarrassing breach should serve as a wake-up call for enterprises that also engage in the dangerous practice of credential-sharing. With dissolution of channel partner contracts and staff firings under way, as well as reactive executive orders snowballing from the corner offices, Australian wireless carrier Vodafone is feeling the full force of consequences stemming from the very common but unsafe practice of allowing shared passwords within enterprise accounts.

Poor security lands soap firm in hot water. Computing.co.uk. The web site of bathroom products retailer Lush has fallen victim to hackers. At the time of writing, the site displays the message: "We are sorry to confirm that our website has been the victim of hackers" as its header.

Verizon Challenges FCC Net Neutrality Authority. PCWorld. Verizon has filed a lawsuit challenging the authority of the FCC to impose the net neutrality rules approved last month. The question boils down to interpreting the powers granted to the FCC by Congress, and Verizon is hoping to find a sympathetic court that sees things its way.

Security Blog. WindowsITPro. While the security software market tends to be dominated by industry heavyweights like Symantec, Microsoft, McAfee, Webroot, Trend Micro, and Sophos, Lieberman Software has managed to carve out a profitable niche for its own security products.

Lieberman Software President Calls ‘Lush’ Hack a Potential Brand Destroyer. Global Security Mag. The Web site of Lush, the natural ingredients cosmetic firm, was reportedly cracked and subverted by hackers. Unconfirmed reports suggest that customers’ payment card details have already been used by fraudsters.

Russian Hacker Admits to Stealing $10 Million, Avoids Jail. Tech and gadgets on msnbc.com. A Russian computer hacker who helped orchestrate a $10 million international bank fraud will avoid jail and serve only a five-year suspended sentence. Yevgeny Anikin, 27, was part of a cybercriminal ring that in 2008 hacked into the electronic payment service WorldPay, then owned by the Royal Bank of Scotland, and first rigged it to raise customers’ maximum withdrawal limits. Then, using cloned debit cards, Anikin and his team — in one 12-hour stint — stole $10 million from more than 2,100 ATMs in 280 cities worldwide.