Companies' haphazard processes for managing administrative or other privileged accounts are putting them at risk of security breaches, according to a new global security survey.
The survey, conducted by Dimensional Research and sponsored by Dell, found that 83 percent of respondents face numerous challenges with managed privileged accounts and administrative passwords. That's not to say they lack procedure for securing them — nearly 80 percent say they have a defined process for managing them — but they're not diligent about it.
For instance, 37 percent of respondents said default admin passwords on hardware and software are not consistently changed. Thirty-seven percent of respondents also said multiple admins share a common set of credentials, and 31 percent said they were unable to consistently identify individuals responsible for administrator activities.
[ Related: CISO bets on cloud security services to protect data ]
While more than 75 percent of respondents said they have a defined process for changing the default admin password on hardware and software as new resources are brought into the organization, only 26 percent said they change admin passwords monthly or more frequently. Twelve percent of respondents said they only change admin passwords in the event of a potential security threat against the business and four percent said they never change admin passwords.
Prone to human error
Another factor is the use of manual processes for managing privileged accounts. The survey found that nearly 30 percent of respondents say their organization still uses manual processes like spreadsheets to manage privileged accounts. These manual processes are prone to error and easily compromised, says Jackson Shaw, senior director, Product Management, at Dell Software Group. They also impede quick resolution in time-critical situations.
"It's like we're not seeing security breaches nearly every day," Shaw says. "Identity is the new attack vectors. Hackers are trying to get in, and they're using people's user credentials. Then they're hopping around until they get a privileged account."
Dimensional Research surveyed 560 IT professionals with responsibility for security for the study. Participants came from the U.S., U.K., Germany, Australia and New Zealand.
[ Related: Boards are getting more involved in cybersecurity, but is it enough? ]
The survey respondents said that the implementation of delegation — the caoability to implement a least-privileged model of admin activity in which administrators are only given sufficient rights to do their job — and password vaulting (the ability to automate storage, issuance and changing of administrative credentials) as the practices that are most critical to critical account management in their organization. But fewer than half said they have a regular cadence of recording, logging or monitoring administrative or other privileged access.
"Privileged accounts really are the 'keys to the kingdom', which is why hackers seek them out and why we've seen so many high-profile breaches over the past few years use these critical credentials," John Milburn, executive director and general manager, Identity and Access Management, Dell Security, said in a statement. "To alleviate this risk and ensure these accounts are controlled and secured, it's absolutely crucial for organizations to have a secure, auditable process to protect them. A good privileged account management strategy includes a password safe, as well as least-privileged control to protect organizational assets from breaches."
How to build a privileged account management strategy
Shaw says a privileged account management strategy should take an integrated approach to addressing the challenges around privileged accounts, including the following best practices:
- Take an inventory of your organization's privileged accounts, including users, and the systems that use them.
- Ensure that privileged passwords are stored securely, and enforce strict requirements for access request and change management processes for privileged passwords.
- Whenever possible, ensure individual accountability and least-privileged access.
- Log and/or monitor all privileged access.
- Audit use of privileged access on a regular basis.