Study: Security pros still grappling with lax password policies

Share this article:
Court rules that Google’s data collection practices are not exempt from federal wiretap law.
Court rules that Google’s data collection practices are not exempt from federal wiretap law.

Passwords and cloud security are still causing headaches for IT security professionals, with 13 percent of respondents to Lieberman Software's "2014 Information Security Survey" saying that they can still access systems at a previous place of employment by using old credentials.

Disturbingly, in some cases, the report found, they can even access the systems of two or more employers.

Surveying in person close to 280 IT security professionals — more than 55 percent of whom worked in organizations with 1,000 or more employees — at the RSA Conference 2014 in San Francisco, Lieberman Software also found that nearly 20 percent either do not have, or don't know if their organizations have, a policy for cutting off access to employees and contractors when they leave the company.

Quite a few respondents — nearly one in four — say their organizations don't change their service and process account passwords within 90 days, which is recommended by most mandatory regulations.

Referring to privileged accounts as “the keys to the IT kingdom,” Philip Lieberman, CEO of Lieberman Software, told SCMagazine.com in a Wednesday email correspondence that “it's astonishingly common” in corporate and government networks for the administrator passwords of these “'god' accounts to be shared across multiple systems, remain unchanged for extended periods of time, and be used without any access control or audit records – bad policies all.”

Those security professionals surveyed also indicated some wariness of the cloud, with 80 percent saying they'd choose instead to keep the most sensitive information on their own networks. And, almost three-quarters contend that the cloud applications downloaded by users create security challenges.

The survey notes that by not controlling privileged user access, a persistent problem in many organizations, and failing to adequately secure passwords, organizations are leaving themselves open to attack.

“The high frequency of data breaches can be expected to continue - if not grow,” the Lieberman Software noted in its analysis of the survey results.

Page 1 of 2
Share this article:

Sign up to our newsletters

More in News

Instagram iOS and Android apps vulnerable to session hijacking

Two researchers wrote about the Instagram app for iOS and Android is vulnerable to session hijacking because both send unsecured information through HTTP.

Report: Hackers stole data from Israeli defense firms

A report by Brian Krebs detailed the intrusions, which occurred between Oct. 2011 and Aug. 2012.

Neverquest trojan targets regional banks in Japan

Symantec researchers found a new variant of the banking trojan.