Low Hanging Fruit: Fixing Big Security
Problems in Minutes or Short, High-Return Projects
President & CEO
For those that get the whirlwind tour of Enterprise
Random Password Manager (ERPM), it is not uncommon to be
overwhelmed with the vast scope of the product’s coverage. Given that
the product can do so much, many customers become frozen because they
have no plan as to what to do first.
In this month’s Top of Mind I will try to give you a simple security
improvement attack plan that is fast and easy – where each project
takes a day or less to accomplish and yields permanent closure of
Politics vs. Technical vs.
Improving the handling of superuser credentials is not always easy to
implement because many of the changes require not only the introduction
of technology, but also changes in operational processes that can cross
many political, financial and power fiefdoms. When deciding on the
following projects, consider not only the technical difficulties (none
are that great) as well as
the politics behind the introduction of a new security control
Probably the easiest and highest return project to do technically is
the conversion of existing password/secrets spreadsheets (generally
shared and unaudited as to usage) into encrypted and delegated access
data. You can use our standalone Password
Spreadsheet Manager (PSM),
Password Manager (RPM) products for this project.The PSM feature is
included in ERPM and RPM at no
extra charge. The end result is controlled access to all of your
spreadsheet password/secret data at a very granular level in less than
We have had customers import over 500 existing password spreadsheets
into the product and put this into production in less than 4 hours, so
it can be done quickly.
The project consists of converting existing spreadsheets from their
native format (i.e. Microsoft Excel XSL/XSLX format) into CSV (comma
separated value) format. The CSV files are imported directly into the
ERPM console with about three or four mouse clicks (easy and quick). To
finish up, you then set the permissions for the imported spreadsheet
data – a little time consuming and politically charged regarding who
gets access to which secrets.
Tips and Techniques
1) You can import more than one spreadsheet at a time in one file
import step. In the documentation for the CSV file format, you will see
that you can add an extra column of data to the CSV file that contains
the name of the spreadsheet for each row of data. This trick allows you
to create a gigantic single CSV file and each row of data will drop
into the correct encrypted area based on the last column value
2) Setting complex permissions on many spreadsheets can be labor
intensive. To make this setting of permissions easier, first set the
permissions on a single imported CSV file by hand. Export the
permissions for the just-created spreadsheet into CSV format, and use
this file as a template for the rest of the spreadsheets. You can open
that exported CSV permissions file as a spreadsheet and expand entries
to cover all of your spreadsheets using spreadsheet magic. The
resulting spreadsheet of permissions can be saved as a CSV file and
imported into our program in just a few seconds. We hate repetitious
work and like automation a lot, which is what we provide to speed up
Converting from spreadsheets containing static secrets to a fully
audited and controlled access system where each line in the spreadsheet
is now an encrypted and delegated secret is a fast project that
generally takes less than a day. As a side note, we don’t charge by
users, administrators, spreadsheets or secrets, so you can load in as
many spreadsheets as you want without additional charges. Imagine:
getting rid of spreadsheet-based secrets and making your auditors happy
in less than a day with no extra licensing costs… and, secret storage
requires very little database power and almost no CPU usage on your
Next Month’s Project:
Randomizing Local Administrator Passwords
you think? Email me at: Phil@liebsoft.com.
You can also follow me on Twitter: @liebsoft
or connect with me via LinkedIn.
New in Identity Week
Featured commentary on our Identity
Week blog this month includes:
in the German IT Market – An Interview. IdentityWeek recently had
an opportunity to sit down with Andreas Görög, CEO of IBV Informatik
GmbH – an IT security solutions provider headquartered in Germany
– about his insights on the current state of the IT market in Northern
Europe and what to expect in coming years...
- U Is For UTM. Guest
Commentary by Pierluigi Stella, CTO, Network Box USA. A recent
article in Dark Reading caught my attention, because I have been saying
the precise same thing for 13 years now. The idea for unified threat
management (UTM) has always been that an effective response against
blended threats can only come from blended security. And there is
absolutely no way to blend security when you are dealing with 10
different devices – most likely originating from 7 different vendors,
with not a single one of them integrated with each other...
Events / Press /
My Tech!: Navigating the nightmare of multiple logins, passwords.
The Salt Lake Tribune. Whenever I go to the home of a friend or
relative to try to make things right on their computers or software,
invariably the biggest obstacle I run into is being able to access what
needs fixing. That’s because invariably whomever I’m helping can never
remember the login and password he or she uses. For example, I recently
spent two more hours than I needed to working on my cousin’s iPad
because she couldn’t remember the passwords for either her email or
publish 450,000 unencrypted Yahoo login credentials. FierceCIO
TechWatch. Yahoo has become the latest online service to suffer
a massive password breach. Hacking group D33D Company has publicly
posted more than 450,000 login credentials belonging to the Yahoo
Contributor Network on its website. The hackers claimed to have used an
SQL injection technique to extract the data, which contains passwords
which are unencrypted.
staff despair about crooked outsourcing. TechEye.net. Dodgy
work, dodgier invoices. In-house IT professionals take a dim view of
the jobs undertaken by outsourced workers, labeling outsourcing a
“money pit” and blasting claims of a value return.
banking systems failure – who is to blame? IT Security Pro. Commenting
on BBC business editor Robert Peston’s comments about the RBS/NatWest
account access debacle on BBC Radio 4′s Today programme yesterday,
Lieberman Software says that the incident highlights the reliance that
many large organisations have on software code – and systems – that are
well past their sell-by dates, and that banks don’t have the incentive
3 Insecure Password Management Practices. eSecurity Planet.
Even good admins sometimes do bad things with passwords. Spotting these
risky IT practices in your organization is a first step to a more
secure password management strategy.
Tech Tip of the Month
to ERPM 4.83.4 or RPM 4.83.4!
If you are an existing Enterprise Random Password
Manager (ERPM) or Random Password Manager (RPM) customer, we STRONGLY
recommend you upgrade to the new version. There is so
functionality and flexibility in this release. Download the new
installer package, run it, and upgrade the website - it's that simple!
To upgrade, please contact your account manager for the download link.