Mainstream Australian media sites now regularly mention hacking incidents carried out by the hacktivist group 'Anonymous'. The group recently defaced several prominent Australian websites, and has now also claimed to have stolen user credentials and contact information from Pizza Hut Australia.
In fact, the month of November 2012 has been a period of high profile security breaches and identity thefts not just in Australia, but across the globe. Seeing some of the world’s mightiest enterprises falling prey to hackers is now commonplace.
All these security breaches give enterprises and end users just one important lesson to learn – it is time to seriously consider using a password manager!
How does a data breach in one website affect end users?
It is quite common for users to use the same login credentials for multiple social media sites, websites, and applications. Making matters worse, some users tend to use the same password for all accounts – from email accounts, to social media, banking, brokerage and finance accounts. In this globally connected world, a data breach in Europe could affect an end user in Malaysia!
If a password gets exposed at any site, then in all probability hackers can easily gain access to the user’s accounts at other sites too.
So, it is always prudent to have unique passwords for every website and application, and supply it ONLY on that site/app. When there is news of an enterprise site hack which has led to passwords being compromised and stolen, you can just change the password for that single site/app.
Changing passwords frequently is also a wise habit to learn.
But, here is the problem. You will have to remember multiple passwords, perhaps tens or even hundreds. It is quite likely that you will forget passwords, and eventually have difficulty logging in.
The way out: use a Password Manager
In order to combat cyber-threats, proper password management should ideally become a ‘way of life’. Password Managers help to securely store all your logins and passwords. In addition, you have the option to launch a direct connection to the websites / applications from the password vault’s GUI itself. Saving you even the ‘Copy & Paste’ task, logging in is never more than a click away. Once you deploy a Password Manager, you can say goodbye to password fatigue and security lapses.
Enterprises – time to step up! You may be the next victim!
It is worthwhile to draw lessons from the cyber-incidents in the recent past, as they might help you learn how to prevent security incidents affecting your enterprise in the future.
Traditionally, keylogger trojans (which monitor keystrokes, log them to a file, and send them to remote attackers), cross-site scripting (which enables malicious attackers to inject client-side script into web pages viewed by other users, and then exploit the information to bypass access controls) and viruses have been the most frequently used security attack channels.
Improper management of Administrative Passwords, which are often aptly referred as ‘Keys to the Kingdom’, is a key security risk. Passwords of enterprise IT resources are often insecurely stored in spreadsheets, text files, and even on pieces of paper. Haphazard password management can make enterprises a paradise for hackers.
Another undeniable risk is the potential for sabotage caused by employees within the enterprise. Disgruntled staff, greedy techies, and sacked employees have been involved in many such security incidents around the world.
A breach of trust could occur anywhere, leading to grave consequences. A lack of well-defined internal controls and access restrictions can easily pave the way for a serious security incident.
Tightening internal controls – the magic mantra
Unfortunately, enterprises often place little importance on crucial administrative password management until a security incident or identity breach surfaces. This negligence can result in an exorbitant cost. Many such security breaches stem from lack of adequate password management policies and poor internal controls, and could be avoided by placing tighter internal access restrictions and well-defined password policies.
Access to IT resources should strictly be based on job roles and responsibilities. Access restrictions alone are not enough. There should be well-defined audit records allowing ‘who accessed what and when’ to be traced with confidence. The best way to achieve this is to deploy a Privileged Password Management Solution, replacing manual processes, and helping to achieve optimum security.
Privileged Password Managers like ManageEngine’s Password Manager Pro help by securely storing the privileged identities in a centralised vault, restricting access to the identities, and automating the identity/password management activities.
This helps organisations to take total control of all privileged identities. Enterprise class password managers offer advanced protection to IT resources by helping establish access controls to IT infrastructure, and seamlessly video record and monitor all user actions during privileged sessions, providing complete visibility of privileged access.
To summarise, not all security incidents could be prevented or avoided, nor will privileged password management software act as a panacea for all cyber security incidents.
But many security incidents happen due to lack of effective internal controls, and are indeed preventable. Enterprises should take preventive action to combat cyber-criminals, to avoid locking the stable door after the horse has bolted!
V Bala is Product Marketing Manager for ManageEngine.