• Tech

    Tighten Up Privileged Access Now, or Hate Yourself Later

    By | May 3, 2016

    The 2016 Verizon Data Breach Investigations Report (aka: “DBIR”) is out and it isn’t pretty. Where to start…? Maybe by saying that 2015 heralded over 100,000 information security incidents — including 3,141 data breaches.

    If those numbers are not staggering enough, it’s more unnerving to realize this is the first time I have heard about the majority of these and most never got mainstream attention. (Remember Target in 2013?) It’s a sign of the times, and not a good sign.

    I find one sub-section of the report particularly appalling, especially as a former auditor. Try to guess the number of incidents that fit into the “insider and privilege misuse” category during 2015…

    It’s 10,489. Of those, 172 had confirmed data disclosure.

    Disgusting.

    And within the “insider and privilege misuse” category, over 65% dealt with privilege abuse. That’s way too many…

    “Super users” aren’t that super-duper when they are “behind your firewall, getting all up in your data,” according to the report. (Did I mention DBIR's cheeky language? I love it.) The data suggests that most of these incidents go unnoticed for months, even years. Yikes!

    The report recommends that you “make sure that you are aware of exactly where your data is and be careful who you give privileges to and to what degree.” Common sense, right? Apparently, it’s easier said than done.

    For many who want to tempt fate, it's easier to have one generic privileged username and a single shared password. I get it, it’s convenient, even if it does set you up for an awkward chat with your auditor down the road. But nothing irks an auditor more than shared credentials, especially when admin privileges are involved.

    Christina Goggi included sharing credentials in her "41 dumbest security decisions," writing:

    Even more of a bad idea? Having all admins share the same admin account and password. No individual accountability, no way to tell who did what. Basically, chaos. It’s no better doing this with regular users. EVERY user gets their own account. NOBODY shares, ever.

    ComputerWeekly also proclaims that administrators should start “eradicating shared passwords among services and machines” because even if “having a shared local administrator password makes managing a large number of machines easier […] by cracking or guessing just one password, an attacker can immediately gain extensive control over the network.” That’s excellent advice, if you ask me.

    “Privileged password sharing is the ‘root’ of all evil” and for good reason, according to a 2012 SANS Institute whitepaper. The potential for abuse is staggering. Plus, once administrators have unbridled access, it’s really hard to take it away without starting a fight. The whitepaper mentions that, “Administrators often take such changes in policy as personal affronts, even when the chance just makes good sense from a security standpoint.”

    Maybe after seeing the data breach stats from 2015, implementing the principle of least privilege will be a little less offensive? Maybe not. Nevertheless, we need to start battening down the hatches before it’s too late. And, auditors — especially IT auditors, if this isn’t one of your emphasis items, it should be.

    In case you can’t tell, I get excited about this topic since it is one of my pet peeves. So tell us, is it one of your pet peeves too or am I overreacting?

    Image: iStockphoto/innovatedcaptures

    • N.E.R.D.

      “It’s a sign of the times, and not a good sign.”

      I don’t believe building stronger “walls” with better keys to data vaults is the answer. Building digital “walls” to protect data integrity will fade to the new business of damage control after the fact. This is a true sign of the times. Data breaches are becoming part of business as usual; albeit a casualty of business but no different than other unforeseen incidents/accidents (e.g. lawsuits and vehicle crashes)

      As it’s been noted over and over, all it takes for a breach to the sturdiest digital data vaults is a careless or disgruntled employee to give access knowingly or not. This makes securing a digital vault very difficult because humans will always make mistakes at some point.

      • Big4Veteran

        If you build a 10 foot wall the Mexicans, er, I mean the hackers, will just build an 11 foot ladder.

        • N.E.R.D.

          ..

    • Unfortunately, some of the major software vendors in the SMB SaaS accounting market charge based on the number of users (cough cough, Intuit, cough cough). So there’s a strong financial incentive for business owners to have employees share a login. Software developers could do a lot to help the security situation by changing their pricing models to offer unlimited users.

      • Megan Lewczyk

        I couldn’t agree more, Blake! The structure of many of the SMB SaaS business models definitely encourage password sharing and I hate it! At least there are a handful that realize that unlimited users (cough, Xero, cough) is key from an internal control standpoint and built that into their pricing.