Everyone hates passwords – except the people who abuse them

Managing privileged accounts without the paranoia

Tweet

The abuse of privileged user accounts has become the dangerous dry powder keg sitting at the heart of networks. Examples litter recent history, from the revelations of turncoat NSA insider Edward Snowden to the super-pwning of US retailers Target and Home Depot, and a thousand advanced persistent threat (APTs) hacks plaguing organisations across the known universe.

Every one of these incidents will have involved the abuse of defenceless passwords at some point, the critical credential handed out to the minor deities we call admins. In the wrong hands, a simple password for a critical asset offers power with no accountability, while even in the right hands it is a risk avoided by little more than naïve assumptions.

It’s hard to believe that passwords were once seen as being like simple keys. These days they are as likely to be turned against their masters, opening doors into the heart of an organisation. The worry is that modern IT has large numbers of them popping up everywhere, wrapped inside different types of privileged account.

These accounts include:

• Maintenance accounts
• Application-to-application (A2A) accounts
• Default accounts on devices
• Privileged network admin accounts (Linux ‘root’)
• Domain admin accounts
• Key external and web accounts
• Hard-coded passwords
• Cloud application passwords/credentials

Some of these are accessible by third parties accessing specific systems, and by contractors or temporary staff who need privileged access to do their jobs via RDP, SSH or telnet.

If passwords cause so many problems, why on earth do organisations still rely so heavily on them?

One answer is that the password is universal, and for the most part cheap to use. People understand them and applications are coded to expect them. Passwords can be strengthened with extra layers of authentication and convenience through two-factor authentication and single sign-on (allowing multiple services to be accessed through one login).

The problem is that not all passwords are created equal: some come with more power and risk than others.

An increasingly common solution is an advanced password management system that forms the core of many an organisation’s credential security. Not that long ago, this function would have been as basic as a password-protected spreadsheet listing important passwords, along with the admins they were assigned to. This approach, we now know, is powerless when faced with data-stealing cyber attacks.

An alternative is to use some form of management system to automate the increasingly complex processes surrounding privileged passwords and their binding to specific credentials. These range from secured password vaults right up to full-blown credential and monitoring systems capable of looking after other types of asset such as SSH keys and digital certificates.

It’s important to distinguish between tools that enforce password policies on a user population (enforcing complexity and managing password changes), and those doing the same for privileged users. This is always more demanding because such accounts can be used to bypass controls.

Implementations vary from vendor to vendor, but good systems should always offer one or more of a common set of features.

Account discovery

The base layer of any password management system is a comprehensive inventory of all the privileged accounts used across an organisation, divided up by environment (Windows domain, Linux or virtualised servers, specific devices). This will also break down accounts by type (privileged, shared and so on).

It’s essential not only to list accounts but to find ones that might have been forgotten, going back to the year zero. Periodic account discovery is recommended to scan for new accounts, particularly if they lurk beyond the safe confines of Windows Active Directory.

Password lifecycle

Privileged passwords should obviously be changed on a regular cycle that enforces complexity and length. There is always a balance here between convenience (not changing passwords too often or making them too long) and security (the need to stick to policies).

Static passwords for service accounts should be banished and passwords should always be encrypted, whether held in storage or in transit.

Automation

Manual intervention should be anathema for important operations such as monitoring password policies for compliance, as well as enforcing additional security checks and time limitations for critical account types.

When staff need access to specific resources, this can also be brokered by password management. The ability to change hard-coded passwords without breaking processes is important.

Password and session monitoring

This has multiple dimensions, starting with monitoring when passwords are changed by privileged users – the function of “watching the watchers” so that no privilege insiders can bypass security policies.

In addition, session monitoring is increasingly seen as an important new dimension of password management. It’s about building a wider picture of how privileged credentials are being used in real time to spot anomalies.

As ever, it goes beyond simply watching or shadowing how accounts are being used – systems must also support forensic logging in case investigations are required. This can involve keystroke recording and even video recording.

Monitoring is normally agentless with encrypted storage of recorded sessions while allowing simple search facilities. Integration with SIEM platforms offering alerting is another possibility.

Reporting and auditing

Central to any platform is a reporting function that gives a clear overview of how privileged accounts and passwords are being used, including changes made between within given time periods. This data should also be protected from tampering, including by limiting access to specific IPs.

Specific compliance regimes demand passwords that meet certain criteria, for example PCI DSS’s insistence that a minimum of seven complex characters are used and changed within 90 days.

Conclusion

Ultimately, the key to controlling privileged passwords is understanding that they are an elevated and temporary permission, and not the God-given credential of old that organisations took at face value.

The administrators who wield them are powerful and fallible, and must be treated with the same care as anyone else.