Saturday, May 08, 2010

DO YOU KNOW WHO OWNS THAT BUNCH OF KEYS?

Sometime in the not too distant past we used to lock secret office documents in metal file cabinets. The more powerful a manager the more keys that he or she used to carry and jangle. Juniors generally had only one key, the one that opened their desk drawer. Fortunately those days are long gone and that huge bunch of keys disappeared and no longer denotes seniority. However the concept is still with us albeit with an electronic twist. Instead of those physical keys we now have electronic keys which are passwords and seniority is denoted by the privileges that are assigned to these passwords.

The most widely known password with maximum privileges in hardware and software is the administrator. In databases it is the Database Administrator (DBA) and in a Unix platform it is the root. Passwords with these privileges are our modern bunch of jangling keys because where you are on the corporate hierarchy is directly proportional to the system password privileges you have.

Knowing how many of these privileged passwords exist and who is assigned to them is an information security priority for any organization. It is therefore important to conduct an inventory of these passwords.

With the existence of a multi-layered information technology framework in most organizations, conducting an inventory of these passwords is not as easy as it sounds. The starting point would most likely be the PCs which come with administrator privileges that can access the computer without restriction. Beyond that are privileged passwords for firewalls, servers, routers, databases, anti-virus programs etc.

The dangers and risks inherent in these privileged passwords cannot be understated. Anybody with the slightest interest can Google and search about privileged identities. It would then be possible to learn how to acquire them by using pre-written software scripts freely available in the internet.

Regulations, therefore, need to be implemented. In organizations where password regulations are absent, or lax, the IT security and audit departments are wholly responsible.

The best practice is to implement regulations that tie privileged identities to personal ones, and have the paper trails as a backup.

In sum, a security conscious organization should firstly conduct an inventory of the privileged passwords. Secondly any activity performed by these passwords should be tied to real-life individuals. These two aspects can be achieved by the use of automated software solutions that are readily available in the internet.

No comments: