Privileged Identity Management News Line July 2012

Top of Mind

Low Hanging Fruit: Fixing Big Security Problems in Minutes or Short, High-Return Projects

Philip Lieberman
President & CEO
Lieberman Software

For those that get the whirlwind tour of Enterprise Random Password Manager (ERPM), it is not uncommon to be overwhelmed with the vast scope of the product’s coverage. Given that the product can do so much, many customers become frozen because they have no plan as to what to do first.

In this month’s Top of Mind I will try to give you a simple security improvement attack plan that is fast and easy – where each project takes a day or less to accomplish and yields permanent closure of security holes.

Politics vs. Technical vs. Scope Issues

Improving the handling of superuser credentials is not always easy to implement because many of the changes require not only the introduction of technology, but also changes in operational processes that can cross many political, financial and power fiefdoms. When deciding on the following projects, consider not only the technical difficulties (none are that great) as well as the politics behind the introduction of a new security control (auditor’s term).

Password Spreadsheets

Probably the easiest and highest return project to do technically is the conversion of existing password/secrets spreadsheets (generally shared and unaudited as to usage) into encrypted and delegated access data. You can use our standalone Password Spreadsheet Manager (PSM), ERPM or Random Password Manager (RPM) products for this project.The PSM feature is included in ERPM and RPM at no extra charge. The end result is controlled access to all of your spreadsheet password/secret data at a very granular level in less than one day.

We have had customers import over 500 existing password spreadsheets into the product and put this into production in less than 4 hours, so it can be done quickly.

The project consists of converting existing spreadsheets from their native format (i.e. Microsoft Excel XSL/XSLX format) into CSV (comma separated value) format. The CSV files are imported directly into the ERPM console with about three or four mouse clicks (easy and quick). To finish up, you then set the permissions for the imported spreadsheet data – a little time consuming and politically charged regarding who gets access to which secrets.

Tips and Techniques

1) You can import more than one spreadsheet at a time in one file import step. In the documentation for the CSV file format, you will see that you can add an extra column of data to the CSV file that contains the name of the spreadsheet for each row of data. This trick allows you to create a gigantic single CSV file and each row of data will drop into the correct encrypted area based on the last column value (spreadsheet name).

2) Setting complex permissions on many spreadsheets can be labor intensive. To make this setting of permissions easier, first set the permissions on a single imported CSV file by hand. Export the permissions for the just-created spreadsheet into CSV format, and use this file as a template for the rest of the spreadsheets. You can open that exported CSV permissions file as a spreadsheet and expand entries to cover all of your spreadsheets using spreadsheet magic. The resulting spreadsheet of permissions can be saved as a CSV file and imported into our program in just a few seconds. We hate repetitious work and like automation a lot, which is what we provide to speed up your deployments.

Summary

Converting from spreadsheets containing static secrets to a fully audited and controlled access system where each line in the spreadsheet is now an encrypted and delegated secret is a fast project that generally takes less than a day. As a side note, we don’t charge by users, administrators, spreadsheets or secrets, so you can load in as many spreadsheets as you want without additional charges. Imagine: getting rid of spreadsheet-based secrets and making your auditors happy in less than a day with no extra licensing costs… and, secret storage requires very little database power and almost no CPU usage on your servers!

Next Month’s Project: Randomizing Local Administrator Passwords

What do you think? Email me at: Phil@liebsoft.com. You can also follow me on Twitter: @liebsoft or connect with me via LinkedIn.

Events / Press / Analysts

WEBINAR: What's New in Enterprise/Random Password Manager? August 7 @ 2pm ET, August 9 @ 2pm ET, August 15 @ 9am ET. Join us for a presentation and demonstration of the new features of E/RPM 4.83.4!

WEBINAR: Your Top 5 Privileged Identity Audit Traps – And How to Avoid Them. August 21 @ 9pm ET. August 23 @ 9am ET. Evolving threats that exploit weak and unaudited privileged accounts can appear in some surprising places. In this informative 30-minute webinar we'll leave no stone unturned as we reveal your top 5 privileged identity audit traps – and how to avoid them.

Oh My Tech!: Navigating the nightmare of multiple logins, passwords. The Salt Lake Tribune. Whenever I go to the home of a friend or relative to try to make things right on their computers or software, invariably the biggest obstacle I run into is being able to access what needs fixing. That’s because invariably whomever I’m helping can never remember the login and password he or she uses. For example, I recently spent two more hours than I needed to working on my cousin’s iPad because she couldn’t remember the passwords for either her email or iTunes account.

Hackers publish 450,000 unencrypted Yahoo login credentials. FierceCIO TechWatch. Yahoo has become the latest online service to suffer a massive password breach. Hacking group D33D Company has publicly posted more than 450,000 login credentials belonging to the Yahoo Contributor Network on its website. The hackers claimed to have used an SQL injection technique to extract the data, which contains passwords which are unencrypted.

IT staff despair about crooked outsourcing. TechEye.net. Dodgy work, dodgier invoices. In-house IT professionals take a dim view of the jobs undertaken by outsourced workers, labeling outsourcing a “money pit” and blasting claims of a value return.

RBS/NatWest banking systems failure – who is to blame? IT Security Pro. Commenting on BBC business editor Robert Peston’s comments about the RBS/NatWest account access debacle on BBC Radio 4′s Today programme yesterday, Lieberman Software says that the incident highlights the reliance that many large organisations have on software code – and systems – that are well past their sell-by dates, and that banks don’t have the incentive to change.

5 Business Trends Driving IAM Spending. Dark Reading. Mobile, cloud, user productivity, contextual security, and compliance all drive adoption of identity and access management.

Top 3 Insecure Password Management Practices. eSecurity Planet. Even good admins sometimes do bad things with passwords. Spotting these risky IT practices in your organization is a first step to a more secure password management strategy.

Tech Tip of the Month

Upgrade to ERPM 4.83.4 or RPM 4.83.4!

If you are an existing Enterprise Random Password Manager (ERPM) or Random Password Manager (RPM) customer, we STRONGLY recommend you upgrade to the new version. There is so much more functionality and flexibility in this release. Download the new installer package, run it, and upgrade the website - it's that simple!

To upgrade, please contact your account manager for the download link.