Privileged Operating System Access
Because large organizations have thousands of privileged accounts in use throughout the IT infrastructure, it can be virtually impossible to manually track and update them all. In the absence of automated processes, IT staff often set privileged credentials to the same common, unchanging password or may update the credentials through ad-hoc scripts and group policy changes.
An organization that does not maintain frequently-changed, unique passwords for all of its privileged accounts faces the threat of unauthorized users and malicious programs compromising just one password and gaining unrestricted access to resources throughout the network. Former employees familiar with the privileged passwords at their previous organizations and malware that exploits common privileged account passwords pose a particular threat.
Manual processes to change privileged account passwords also pose risks, since improperly implemented and incomplete password updates can result in account lockouts, cascading system failures, and extended IT service disruptions.
The lack of adequate policies and practices to manage privileged accounts can make an organization unable to:
- Address its security risks by locating all potential privileged account vulnerabilities
- Protect its access by verifying that sensitive data is only accessible to authorized users
- Verify security by providing an audit trail of individuals who are granted access to sensitive data
- Reduce the potential for extended damage after a security breach exposes privileged credentials that can be re-used across independent IT assets
- Eliminate undesired system changes and service disruptions when privileged accounts are used for tasks that don’t require them
Privileged identities are widespread in the IT infrastructure, since they can be found on server and desktop operating systems, on hardware devices like routers or switches, and on applications and services like databases, backup programs, scheduled tasks, and more. Unauthorized access to the privileged account passwords on any of these resources can lead to a compromise of sensitive corporate data and disruptions to IT services.
Without proper controls, access to an organization’s privileged accounts spreads over time, often in unplanned ways. This happens as organizations:
- Fail to change the pre-configured logins and service accounts that are introduced as they deploy new hardware and applications
- Delegate administrative duties across overlapping groups, change the roles of IT administrators, or contract IT jobs to outside personnel
- Fail to revoke all privileged accounts accessed by an employee after his or her job changes or employment ends
- breached by social engineering, dictionary attacks, or other means
Despite the serious security risks and the potential for IT compliance audit failure, many organizations are unaware of their own vulnerabilities when it comes to privileged accounts.
- Lieberman Software products help organizations control privileged account access through a four-part I.D.E.A. process:
- Identify and document all critical IT assets, their privileged accounts and their interdependencies.
- Delegate access to privileged credentials so that only appropriate personnel, using the least privilege required, can login to IT assets.
- Enforce rules for password complexity, diversity and change frequency, and synchronize changes across all dependencies.
- Audit and alert so that the requester, purpose, and duration of each privileged access request is documented