Secrets Your IT Administrators Don't Want You to Know
Lieberman President & CEO
As valued members of your organization, IT administrators work every
day to keep your infrastructure up and available. But in today’s rush
to contain operational costs, your IT administrators could be taking
more shortcuts than you’d expect. And perhaps no aspect of IT suffers
more from cutting corners than security.
Here are five facts about IT security that your administrators probably
don't want executives and employees to know.
Most Passwords Never Change
Sure, regulations may call for frequent password changes on all
accounts in your infrastructure. Even though your IT administrators may
be tasked to change passwords on a regular basis, your organization
probably lacks the automation to reliably change what could be
thousands of the passwords that matter most.
Sensitive accounts such as administrator logins, embedded
application-to-application passwords, and privileged service accounts
often keep the same passwords for years because IT staff may not have
the tools to track and change them. And, because systems and
applications often crash when IT personnel attempt to change
interdependent credentials, many of your organization’s most privileged
logins can go unchanged for extended periods of time.
Ad-hoc change processes and handwritten scripts might succeed in
updating the passwords of some types of privileged accounts, but unless
your organization has invested in privileged identity management
software, you can bet that many of the passwords that grant access to
your organization’s most sensitive information are never changed. This
means that access to this data will continue to spread over time.
Too Many Individuals Have
Too Much Access
Regardless of your written policies, highly privileged account
passwords are almost certainly known to large numbers of IT staff. For
the sake of convenience, chances are these logins have been shared with
individuals outside of IT.
As a result contractors, service providers, application programmers,
even end users are likely able to gain privileged access using
credentials that may never change. Unless you’ve got technology in
place to track privileged logins, delegate access, and change these
powerful credentials after each time they’re used, then you’ll never
know who now has access.
Your CEO’s Data Isn’t
With all the recent headlines about corporate and government data
leaks, you might still be surprised to know how many individuals have
access to the files on your executive’s computers, and to the data
resident in the applications that senior managers use every day. Anyone
with knowledge of the right credentials can gain anonymous access to
read, copy and alter data.
In many cases these credentials are known not only to senior IT
managers, but also to IT rank and file and others. It’s more than
likely that your $12-per-hour help desk workers have access to more
sensitive data than does your CFO. And your subcontractors located
around the world? It’s likely that they can access the CEO's account,
IT Auditors Can Be Misled
If your administrators know about security gaps or failed policies that
your IT auditors haven’t discovered, then they’ll likely try to take
the knowledge to their graves. IT staff have limited time to complete
higher-visibility projects that influence performance ratings and
paychecks, so in most cases you can forget about them fixing any
security holes that your auditors fail to notice.
Security Often Takes a
Is your IT administrators’ pay structure tied to security? No? Then
they’re probably not as proactive as you might expect when it comes to
securing your network. Most IT administrators won’t tell you about the
security vulnerabilities they discover in the course of their jobs
because they’re not paid to fight losing battles to gain resources
necessary to close each security gap.
Because pay packages are rarely tied to safeguarding your network, your
IT administrator is also probably not taking the initiative to update
his or her technical skills when it comes to security. As a result,
even when budgets allow for purchases of new security technologies,
your staff may have no clue how to effectively use these new tools.
Bring IT Into Balance by
Fundamentally, the security of each organization hinges on how well IT
balances convenience with controls and accountability. All too often IT
is given free reign to operate under its own rules when it comes to
security and resists working under the same types of controls that
apply to others in the organization.
Those organizations that work to bring IT into balance – introducing
accountability through segregation of duties and adequate auditing
controls while providing sufficient resources and incentives to provide
proactive security – will come out ahead.
What do you think? Email me at: email@example.com.
Tip of the Month
Lock Out Malicious
Software and Unauthorized Programs
User Manager Pro Suite is well known for
its ability to modify and report on numerous security configuration
settings on multiple Windows machines collectively. But did you know
that one of its most valuable attributes is its patented technology to
block malicious software and other unauthorized applications from
executing on client systems? Here’s
New in Identity Week
commentary on our Identity Week blog this month includes:
Truth About Online Privacy
Guest Commentary by
Wes Miller, VP at Directions on Microsoft.
Last year online privacy became the hot topic – at least among privacy
and security pundits. But what, exactly, is online privacy?...
Tips for Boosting Enterprise Security
It’s that time again. We’re one month into the New Year, when we look
back at the goals and resolutions we set out to accomplish and were
adamant we’d achieve...
- Is Uncle Sam’s “Trusted
Identity” Plan a Good One?
Recently, Matthew Lasar wrote an article for Ars Technica talking about
the potential for a new national cybersecurity plan. United States
Secretary of Commerce Gary Locke is taking up the Obama
administration’s efforts to enhance online security and privacy and the
next steps in meeting the challenges of a growing cyber world according
to a press statement...
Software and Q1 Labs Combine Privileged Identity Management and SIEM to
Bring Accountability to Enterprise Security Joins Q1 Labs Security
Intelligence Partner Program
“This integration is
closing the loop on event management by providing visibility into the
real-time ownership and delegated access to sensitive accounts that
appear in Q1Labs QRadar's gathered events,” said Philip Lieberman,
president and CEO of Lieberman Software. “With this 360 degree view of
security events Lieberman Software and Q1 Labs can show not only what
is happening, but also who is behind the activity – effectively ending
anonymous access to privileged accounts.”
For details on this integration, please visit our Q1 Labs Integration
Events / Press /
Conference. February 14-17,
2011. San Francisco, CA. Stop
by our booth: # 529.
18-20, 2011. Orlando, FL. Visit us at Booth 308. Get 10% off
your registration by using the code OS11/VDIS
Demo: Lieberman Software – Enterprise Random Password Management
Integration with SCSM. TechNet
Blogs > System Center Service Manager Engineering Team Blog. This
is great for incident management scenarios when someone needs to go fix
a system but you don’t want them to necessarily have carte blanch
access to the sensitive account all the time. This integration with
Service Manager make it easy to associate password check outs with
particular incidents for traceability. Further it will log any event in
the ERPM system you choose in to SCSM as an incident. For
example, you could generate an incident based on a failed login.
Exposes Super-User Activity to SIEMs. IT Jungle. Organizations
can feel a little more secure that their IT workers aren't abusing
powerful user profiles as a result of integration work done by
Lieberman Software and Q1 Labs. The two security software companies
teamed up to ensure that every use of Lieberman's Enterprise Random
Password Manager is tracked by Q1 Labs' security information and event
management (SIEM) software.
- What are
banks not telling us about card fraud? Help Net Security. Reports that a Russian hacker has pleaded
guilty of ripping off WorldPay, the online transaction processor, to
the tune of $10 million, have met with a grim smile by Lieberman
Glaring Lesson In Shared Passwords. Darkreading. Vodafone's
embarrassing breach should serve as a wake-up call for enterprises that
also engage in the dangerous practice of credential-sharing. With
dissolution of channel partner contracts and staff firings under way,
as well as reactive executive orders snowballing from the corner
offices, Australian wireless carrier Vodafone is feeling the full force
of consequences stemming from the very common but unsafe practice of
allowing shared passwords within enterprise accounts.
security lands soap firm in hot water. Computing.co.uk. The
web site of bathroom products retailer Lush has fallen victim to
hackers. At the time of writing, the site displays the message: "We are
sorry to confirm that our website has been the victim of hackers" as
Challenges FCC Net Neutrality Authority. PCWorld. Verizon has filed a lawsuit
challenging the authority of the FCC to impose the net neutrality rules
approved last month. The question boils down to interpreting the powers
granted to the FCC by Congress, and Verizon is hoping to find a
sympathetic court that sees things its way.
Blog. WindowsITPro. While
the security software
market tends to be dominated by industry heavyweights like Symantec,
Microsoft, McAfee, Webroot, Trend Micro, and Sophos, Lieberman Software
has managed to carve out a profitable niche for its own security
- Russian Hacker Admits to
Stealing $10 Million, Avoids Jail. Tech and gadgets on msnbc.com.
A Russian computer hacker who helped orchestrate a $10 million
international bank fraud will avoid jail and serve only a five-year
suspended sentence. Yevgeny Anikin, 27, was part of a cybercriminal
ring that in 2008 hacked into the electronic payment service WorldPay,
then owned by the Royal Bank of Scotland, and first rigged it to raise
customers’ maximum withdrawal limits. Then, using cloned debit cards,
Anikin and his team — in one 12-hour stint — stole $10 million from
more than 2,100 ATMs in 280 cities worldwide.