The 2016 Verizon Data Breach Investigations Report (aka: “DBIR”) is out and it isn’t pretty. Where to start…? Maybe by saying that 2015 heralded over 100,000 information security incidents — including 3,141 data breaches.
If those numbers are not staggering enough, it’s more unnerving to realize this is the first time I have heard about the majority of these and most never got mainstream attention. (Remember Target in 2013?) It’s a sign of the times, and not a good sign.
I find one sub-section of the report particularly appalling, especially as a former auditor. Try to guess the number of incidents that fit into the “insider and privilege misuse” category during 2015…
It’s 10,489. Of those, 172 had confirmed data disclosure.
And within the “insider and privilege misuse” category, over 65% dealt with privilege abuse. That’s way too many…
“Super users” aren’t that super-duper when they are “behind your firewall, getting all up in your data,” according to the report. (Did I mention DBIR's cheeky language? I love it.) The data suggests that most of these incidents go unnoticed for months, even years. Yikes!
The report recommends that you “make sure that you are aware of exactly where your data is and be careful who you give privileges to and to what degree.” Common sense, right? Apparently, it’s easier said than done.
For many who want to tempt fate, it's easier to have one generic privileged username and a single shared password. I get it, it’s convenient, even if it does set you up for an awkward chat with your auditor down the road. But nothing irks an auditor more than shared credentials, especially when admin privileges are involved.
Christina Goggi included sharing credentials in her "41 dumbest security decisions," writing:
Even more of a bad idea? Having all admins share the same admin account and password. No individual accountability, no way to tell who did what. Basically, chaos. It’s no better doing this with regular users. EVERY user gets their own account. NOBODY shares, ever.
ComputerWeekly also proclaims that administrators should start “eradicating shared passwords among services and machines” because even if “having a shared local administrator password makes managing a large number of machines easier […] by cracking or guessing just one password, an attacker can immediately gain extensive control over the network.” That’s excellent advice, if you ask me.
“Privileged password sharing is the ‘root’ of all evil” and for good reason, according to a 2012 SANS Institute whitepaper. The potential for abuse is staggering. Plus, once administrators have unbridled access, it’s really hard to take it away without starting a fight. The whitepaper mentions that, “Administrators often take such changes in policy as personal affronts, even when the chance just makes good sense from a security standpoint.”
Maybe after seeing the data breach stats from 2015, implementing the principle of least privilege will be a little less offensive? Maybe not. Nevertheless, we need to start battening down the hatches before it’s too late. And, auditors — especially IT auditors, if this isn’t one of your emphasis items, it should be.
In case you can’t tell, I get excited about this topic since it is one of my pet peeves. So tell us, is it one of your pet peeves too or am I overreacting?