|
Perspective
Combating Cyber Security Threats
V Balasubramanian discusses the causes of security
incidents in detail and suggests ways to effectively tackle the challenge
Of late, cyber-criminal activities across the globe have assumed
such grave proportions that all enterprises - big and small, are exposed to
security breaches and identity thefts of various kinds. Many acts of sabotage
were found to have been caused by the insiders of the enterprises, either disgruntled
staff or greedy techies or sacked employees. As stolen identities seem to have
served as the ‘hacking channel’ for many cyber-crimes, improper management
of the administrative passwords is believed to be at the root of a good number
of security threats.
Increasing Cyber Security Attacks – The Challenge
If Samuel Taylor Coleridge were alive today, he would have probably rephrased
his immortal lines ‘Water, water everywhere, ne any drop to drink’
as ‘Threat, Threat Everywhere, Cyber criminals on the prowl‘! Let
us take a quick look at some of the major cyber-crimes happened recently:
A trader allegedly stole the passwords of IT operators of a reputed European
Financial Services Company and racked up a mountain of fraudulent trades that
created financial loss to the tune of $7 billion to the company. This incident
is considered one of the largest cyber-frauds in the history.
In San Francisco, a disgruntled network administrator allegedly planted network
devices that enabled illegal remote access to the Fiber Optic Wide Area Network
and eventually changed the passwords of servers and devices and prevented other
staff of the organization from accessing the network
A cyber-mafia hacked the network of an international hotel chain, used the credentials
of an employee and reportedly hacked the personal data of millions of customers
of the hotel chain. The stolen data includes addresses, telephone numbers, credit
card details, and places of employment
The employee of a hugely popular social networking site was using the same password
for many of his online accounts. It came in handy for a hacker, who got hold
of the password, gained access to the network of the social networking site
and released their sensitive business documents publicly
The identity theft from a reputed discount stores chain in USA and Canada reportedly
made hackers gain access to customer information related to at least 45.7 million
credit and debit cards
The list of cyber-crimes and security incidents will go on and on and will fill
volumes, if one were to point out all. What’s worse, a good number of security
incidents are not revealed for fear loss of reputation. The above list however
gives an indication of the magnitude of the problem. It also indicates that:
- Businesses of all types be it financial firms,
healthcare institutions, federal agencies, service organizations, hospitality
sector, educational institution or hi-tech enterprises and all sizes are impacted
- Establishment of intrusion detection systems and
other security infrastructure alone is not enough to effectively combat security
incidents
- In many incidents, disgruntled insiders had acted
with malicious intent and caused the damage
- By and large, the perpetrators have stolen the digital
identities of others to creep in to the network and wreak havoc
Security Incidents - Causes
Past trends show that the exact cause of most of the security incidents goes
unreported. Of course, there have been instances where the culprits had been
brought to book and their modus-operandi revealed to the outer world. But, the
fact remains that exact cause of most of the incidents remains a secret, unfortunately.
Traditionally, keylogger trojans, cross-site scripting and viruses have mostly
acted as the security attack channels.
However, of late, as stolen identities seem to have served as the ‘hacking
channel’ for most of the cyber-criminals, analysts generally believe that
improper management of the Administrative Passwords, which are often aptly referred
as ‘Keys to the Kingdom’, is at the root of many security threats.
Another harsh fact is that many a sabotage had been caused by the insiders of
the enterprises—disgruntled staff or greedy techies or sacked employees.
That means, in this hi-tech era, breach of trust could occur anywhere, anytime
leading to serious consequences. Quite often, lack of well-defined internal
controls and access restrictions pave the way for security incidents.
Today’s scenario: administrative passwords
Before discussing the solution, let us dwell on the current scenario. How administrative
passwords are being handled in enterprises?
If truth be told, even many big enterprises do not have any effective password
management system in place at all. Employees follow their own, haphazard way
of
maintaining the passwords; there is rarely any meaningful management.
Sensitive passwords are stored in volatile sources such as text files, spread
sheets and printouts. Hard/soft copies of the administrative passwords are circulated
among the administrators. The passwords thus become impersonal in the shared
environment where there is no accountability for actions. There is generally
no trace on ‘who’ accessed ‘what’ resources and ‘when’.
The administrative passwords mostly remain unchanged for fear of inviting system
lockout issues. Worse still, most resources are assigned the same, non-unique
password for ease of coordination among administrators.
When other members of the organization such as developers, database administrators
and support personnel require access to IT resources, passwords are generally
transmitted over word of mouth. Also, there is rarely any internal control on
password access or usage. Administrators freely get access to the passwords
of all the resources.
If an administrator leaves the organization, it is quite possible that he/she
may be getting out with a copy of all the passwords.
From the foregoing, it is clear that the haphazard style of password management
makes the enterprise a paradise for hackers – internal or external. Unfortunately,
enterprises generally do not tend to attach importance to this crucial aspect
of administrative password management until a security incident or identity
breach rocks the enterprise. This negligence often proves costly.
Many security breaches like the ones discussed above might have stemmed from
lack of adequate password management policies and internal controls. Analysts
strongly believe that most of the security incidents are actually avoidable
by placing access restrictions and well-defined password policies.
The Solution
The answer is to take preventive action and safeguard your data. With cyber-threats
looming large, enterprises should think of taking preventive action by strengthening
internal controls. Manual processes and home-grown tools may not be able to
provide the desired level of security and controls.
One of the effective ways to achieve internal controls is to deploy a Privileged
Password Management Solution that could replace manual processes and help achieve
highest level of security for the data.
Privileged Password Managers help enterprises safeguard their
data and thereby avoid security incidents in multiple ways than one. Administrative
passwords can be stored in a centralized repository in encrypted form –
this helps avoid storing of the passwords in volatile resources. Even if someone
manages to get hold of the password database, data cannot be deciphered.
Role-based, granular access restrictions can be enforced. Administrators and
other users get access only to the passwords that are allotted to them, not
all passwords. In addition, passwords can be selectively and securely shared
with others on need basis and word of mouth sharing is completely avoided.
Passwords can be automatically changed at periodic intervals assigning a strong,
unique password to each resource. For enhanced internal controls, administrators
or users may even be prevented from viewing the passwords in plain text. Instead,
they could be directed to just click a URL to directly access the resource.
Users requiring temporary access to the passwords can be directed to follow
password request-release workflow granting time-limited access. After revoking
the permission, passwords can be automatically reset.
All password access activities are completely audited. This helps monitor the
usage of privileged identities and fix accountability issues when something
goes wrong. It also helps the enterprise meet regulatory compliance requirements.
Real-time alerts on password actions help administrators continuously track
and control the administrative passwords. If an administrator leaves the organization,
passwords owned or accessed by them can be transferred to some other administrator
and the passwords could be automatically reset. This helps avoid possible misuse
of the passwords by disgruntled users.
Researchers repeatedly point out that identity theft incidents are on the rise
and it will only keep growing due to many reasons, including economic situation,
social factors and technological advancements that make the tech-savvy criminals
more creative every passing day.
Not all security incidents could be prevented or avoided; nor could privileged
password management software act as the panacea for all cyber security incidents.
But, the security incidents that happen due to lack of effective internal controls
are indeed preventable. Enterprises should initiate preventive action to combat
cyber-criminals. Otherwise, they might end up locking the stable after the horse
has bolted!
The author is a Senior Analyst with ManageEngine Password
Manager Pro, a division of Zoho Corp, Chennai
|
