Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Thursday, March 24, 2005

Root out the administrative password menace

When password management comes to mind, most managers think of their own personal passwords or the end-users’ passwords used to access the network, sales database or e-mail systems.  But there is another set of passwords that is at the heart of the enterprise operation—passwords that are critical and sensitive, and yet their security and management is often overlooked.

The backbone of every enterprise infrastructure is a massive network of servers, network devices, security and other infrastructure that creates the complex communications network—or nerve center—of a company.  Every day, system, network and security administrators are logging-on these critical infrastructure points for routine maintenance, repair and application of the most updated security patches.  Many of them are running around with ROOT and ADMINISTRATOR privileges, either with their personal users or with commonly used accounts.

Enterprises have gone to great lengths to educate end-users and implement tools to help them choose complex passwords, avoid obvious ones, eliminate leaving them on Post-it notes, and change them frequently.  It goes without saying that the same precautions apply to administrative passwords; however there are several additional security measures that need to be addressed since administrative user rights are extremely powerful, and thus call for an extra level of caution and security.
Administrators have the best intentions, but the more those passwords exchange hands or remain unchanged, then the greater the likelihood of a security breach.

Establishing a password control and change management program As a stop-gap measure, many enterprises store passwords for these systems in files like spreadsheets and simple databases.  A quick penetration test will show just how easy it is to get at these documents.

Mismanagement of administrative passwords is a major cause for security breaches and one of the top reasons for long recovery processes from IT failures.

Here’s a checklist of best practices that should be included as a part of an administrative password control and change management policy that can be used when creating a program and evaluating the software and services to support it.

- Centralized Administration
- Secure Storage
- Worldwide, Secure Availability
- A Dual-control Mechanism
- Routinely Change Passwords and Track History
- Intuitive Auditing
- Disaster Recovery Plan

Posted on 03/24