Organizations sloppy about securing privileged accounts

While most companies have processes in place for managing administrative and other privileged accounts -- the sorts of credentials frequently used in high-profile data breaches for the past several years -- most do a poor job of enforcing those processes.

Companies' haphazard processes for managing administrative or other privileged accounts are putting them at risk of security breaches, according to a new global security survey.

The survey, conducted by Dimensional Research and sponsored by Dell, found that 83 percent of respondents face numerous challenges with managed privileged accounts and administrative passwords. That's not to say they lack procedure for securing them — nearly 80 percent say they have a defined process for managing them — but they're not diligent about it.

For instance, 37 percent of respondents said default admin passwords on hardware and software are not consistently changed. Thirty-seven percent of respondents also said multiple admins share a common set of credentials, and 31 percent said they were unable to consistently identify individuals responsible for administrator activities.

[ Related: CISO bets on cloud security services to protect data ]

While more than 75 percent of respondents said they have a defined process for changing the default admin password on hardware and software as new resources are brought into the organization, only 26 percent said they change admin passwords monthly or more frequently. Twelve percent of respondents said they only change admin passwords in the event of a potential security threat against the business and four percent said they never change admin passwords.

Prone to human error

Another factor is the use of manual processes for managing privileged accounts. The survey found that nearly 30 percent of respondents say their organization still uses manual processes like spreadsheets to manage privileged accounts. These manual processes are prone to error and easily compromised, says Jackson Shaw, senior director, Product Management, at Dell Software Group. They also impede quick resolution in time-critical situations.

"It's like we're not seeing security breaches nearly every day," Shaw says. "Identity is the new attack vectors. Hackers are trying to get in, and they're using people's user credentials. Then they're hopping around until they get a privileged account."

Dimensional Research surveyed 560 IT professionals with responsibility for security for the study. Participants came from the U.S., U.K., Germany, Australia and New Zealand.

[ Related: Boards are getting more involved in cybersecurity, but is it enough? ]

The survey respondents said that the implementation of delegation — the caoability to implement a least-privileged model of admin activity in which administrators are only given sufficient rights to do their job — and password vaulting (the ability to automate storage, issuance and changing of administrative credentials) as the practices that are most critical to critical account management in their organization. But fewer than half said they have a regular cadence of recording, logging or monitoring administrative or other privileged access.

"Privileged accounts really are the 'keys to the kingdom', which is why hackers seek them out and why we've seen so many high-profile breaches over the past few years use these critical credentials," John Milburn, executive director and general manager, Identity and Access Management, Dell Security, said in a statement. "To alleviate this risk and ensure these accounts are controlled and secured, it's absolutely crucial for organizations to have a secure, auditable process to protect them. A good privileged account management strategy includes a password safe, as well as least-privileged control to protect organizational assets from breaches."

How to build a privileged account management strategy

Shaw says a privileged account management strategy should take an integrated approach to addressing the challenges around privileged accounts, including the following best practices:

  • Take an inventory of your organization's privileged accounts, including users, and the systems that use them.
  • Ensure that privileged passwords are stored securely, and enforce strict requirements for access request and change management processes for privileged passwords.
  • Whenever possible, ensure individual accountability and least-privileged access.
  • Log and/or monitor all privileged access.
  • Audit use of privileged access on a regular basis.

Follow Thor on Google+

Join the CSO newsletter!

Error: Please check your email address.

More about DellDell SoftwareGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thor Olavsrud

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts