Privileged Identity Management News Line November 2011

Top of Mind

How Do You Handle Password Spreadsheets?

Philip Lieberman, President & CEO
Lieberman Software

We all know that the number one password management solution is the trusty sticky note. You write down your complex password on the sticky note, and then hide the note in a place you can find it (hopefully not on your monitor).

The second most popular way to store commonly used credentials (such as root, administrator, sa, etc.) is to put them all on a spreadsheet and then share that spreadsheet with those that need access to the credentials on the spreadsheet. For better security, some companies create different spreadsheets for different parts of the organization.

Why Do Auditors Hate Password Spreadsheets?

Spreadsheets drive your auditors crazy because there is no way to know who has seen the passwords on the spreadsheets, when they saw the info, nor is there generally any way to control access to part of a spreadsheet, much less track when/if passwords get changed.

Why Support Password Spreadsheets If We Have Full Password Automation?

Simple: not every company is ready or can afford to switch over from spreadsheets to a fully automated privileged identity management.

Many companies need to migrate off of publicly shared password spreadsheets, to something that is more secure, and then have a path to automation when they are finally ready. IT budgets, resources, and expertise may be limited, so the best solution is to migrate the spreadsheets to a secure solution to meet minimum regulatory requirements, then move up to an automated solution later.

Password Spreadsheet Manager

At the Gartner Identity and Access Management Summit on 14 September 2011, we announced a new product offering known as Password Spreadsheet Manager (PSM).

PSM allows you to seamlessly import your spreadsheets in minutes to a safe, secure and encrypted database (Microsoft SQL Server or Oracle 11g) that provides easy web based audited and delegated access to the rows in your formerly shared spreadsheets.

How is Password Spreadsheet Manager Different From Competitor’s Products?

Our objective was not to create another “secure” file vault - these suffer from the same flaws as a shared spreadsheet: lack of detailed spreadsheet row level tracking. Without detailed row-level tracking, the solutions from competitors provide little improvement over spreadsheets kept on Microsoft SharePoint.

PSM’s Objective: take the insecure and prevalent methodology of shared password spreadsheets and convert it into a row-level secure and auditable shared database with all of the scalability, security, and broad systems integrations you would expect from an enterprise quality application.

PSM provides all of the things you need for security such as workflow approvals, multi-factor authentication, role-based authorizations, and integrations to trouble ticket systems, loggers, and SIEM systems. This product also integrates with the products of our privileged user management (PUM) and session monitoring partners including: FoxT, Balabit, ObserveIT, and Viewfinity.

A Path To The Future

Converting from insecure password spreadsheets to PSM allows you to quickly provide secure access and management to shared credentials. Depending on your industry, it may be necessary to regularly change credentials, as well as immediately after disclosure or employee turnover. With PSM, the password changes must be done manually as required using either labor or scripts.

When a customer wishes to automate the local password change process after disclosure, PSM can be upgraded to our Random Password Manager product. If you have the more complex scenario of changing not only credentials, but also where they are also used in the middleware/application stack, you can upgrade to our flagship privileged identity management product: Enterprise Random Password Manager.

What do you think? Email me at: phil@liebsoft.com. You can also follow me on Twitter: @liebsoft or connect with me via LinkedIn.

Tech Tip of the Month

Take Control of Your Windows Systems

Learn how to execute mass changes to security settings on thousands of Windows systems simultaneously in a single operation without scripts. Get configuration and security reports on all Windows machines on the network in minutes using User Manager Pro Suite. Here’s how.

Events / Press / Analysts

WEBINAR: Enterprise Windows Security Management with User Manager Pro Suite. November 22, 2011 @ 11am PT. Learn how to use our product User Manager Pro Suite to report on and remediate rogue local user accounts, improper group memberships, unauthorized shares, weak permissions, registry entries, BIOS settings, WMI reporting and more.

WEBINAR: Managing Database Administrator Credentials. November 23, 2011 @ 11am PT. Learn how to easily find SQL Server instances on your Windows systems, find their accounts, change credentials and propagate new credentials to connection strings in seconds. See how Enterprise Random Password Manager (ERPM) can be used to manage the credentials and connection strings of other database engines.

WEBINAR: Effectively Managing Windows Services, Scheduled Tasks and COM objects. December 1, 2011 @ 11am PT. Proper maintenance of Windows Services, Scheduled Tasks and COM objects across thousands of computers can be such a large task that it never gets done. Our tools allow you to update credentials or change configuration across thousands of machines in just a few minutes. Attend our free webinar and see how quickly you can get the job done.

WEBINAR: Windows Privileged Identity Management. December 7, 2011 @ 11am PT. Learn how ERPM can be used to automatically find machines, accounts and their usage, reliably propagate password changes, and delegate access to sensitive credentials on the Windows platform. Integrate into SIEM and trouble ticket systems to alert you to out of compliance situations.

WEBINAR: Self-Service Passwords Resets and Password Synchronization, The Easy Way. December 8, 2011 @ 11am PT. Users forgetting their passwords is always the number one load on the Help Desk. Automating the solution to this problem can save money and free up Help Desk staff to address more critical user problems. See how our self-service password reset and password synchronization products can eliminate users calling the Help Desk for password resets.

WEBINAR: Linux/UNIX Privileged Identity Management. December 14, 2011 @ 11am PT. Learn how ERPM can be used to automatically find machines, accounts and their usage, reliably propagate password changes, and delegate access to sensitive credentials on the Linux/UNIX platforms. Integrate into SIEM and trouble ticket systems to alert you to out of compliance situations.

Common Access Card. Enterprise Random Password Manager (ERPM) supports multi-factor authentication through the Common Access Card (CAC). Leading regulatory mandates – including the Consensus Audit Guidelines (CAG) and others – require use of multi-factor authentication for accessing highly privileged accounts.

Tech Insight: Managing Privileged Accounts. Dark Reading. Strategies for identifying, managing, and auditing privileged accounts.

Lieberman Software says chemical company hacker attacks could have been prevented. bobsguide. Commenting on reports from Symantec that hackers targeted nearly 30 companies in the chemical industry this summer with the intent of stealing sensitive IP (intellectual property), Lieberman Software says that this latest cyber crime wave cries out for privileged identity management technology.

GSN 2011 Awards Countdown: Hot contest in ‘privileged access management’ category. Government Security News. No fewer than six finalists have been named in the IT Security category called “Best Privileged Access Management Solution,” and the winner will be identified at GSN’s homeland security awards dinner in Washington, DC, on November 14.

Should you share breach information? Network World. When companies suffer a security breach today they face that core dilemma: Tell the world and hope the honesty helps others, or keep it under wraps to avoid tarnishing the brand and duck possible lawsuits? One thing is clear from the arguments below: It is time for the government to take the guesswork out of the equation.

Are Your IT Pros Abusing Admin Passwords? InformationWeek. One in four IT professionals know of a coworker who has used privileged credentials to snoop. Worse, 25% of superuser passwords don't pass basic security test.

Password Misuse Could Be Root Cause of Hacking Spike. IT Business Edge. In 2011, Lieberman Software surveyed more than 300 IT professionals for their insights into password practices and security outcomes. Portions of the survey focused on the numbers of passwords in use, sharing of privileged passwords, organizational security and other areas. The survey revealed that 48 percent of IT security professionals have worked for organizations whose network has been breached by a hacker. The results also paint a vivid picture of password chaos amongst IT staff and apathy about password security among senior management.