Cloud Security

Study: Security pros still grappling with lax password policies

Passwords and cloud security are still causing headaches for IT security professionals, with 13 percent of respondents to Lieberman Software's "2014 Information Security Survey" saying that they can still access systems at a previous place of employment by using old credentials.

Disturbingly, in some cases, the report found, they can even access the systems of two or more employers.

Surveying in person close to 280 IT security professionals — more than 55 percent of whom worked in organizations with 1,000 or more employees — at the RSA Conference 2014 in San Francisco, Lieberman Software also found that nearly 20 percent either do not have, or don't know if their organizations have, a policy for cutting off access to employees and contractors when they leave the company.

Quite a few respondents — nearly one in four — say their organizations don't change their service and process account passwords within 90 days, which is recommended by most mandatory regulations.

Referring to privileged accounts as “the keys to the IT kingdom,” Philip Lieberman, CEO of Lieberman Software, told in a Wednesday email correspondence that “it's astonishingly common” in corporate and government networks for the administrator passwords of these “'god' accounts to be shared across multiple systems, remain unchanged for extended periods of time, and be used without any access control or audit records – bad policies all.”

Those security professionals surveyed also indicated some wariness of the cloud, with 80 percent saying they'd choose instead to keep the most sensitive information on their own networks. And, almost three-quarters contend that the cloud applications downloaded by users create security challenges.

The survey notes that by not controlling privileged user access, a persistent problem in many organizations, and failing to adequately secure passwords, organizations are leaving themselves open to attack.

“The high frequency of data breaches can be expected to continue - if not grow,” the Lieberman Software noted in its analysis of the survey results.

Lieberman said he wasn't surprised by the results.

“Investments in security for technology, people and processes have been meager, at best, in most organization for many years,” he said. Organizations tend to focus on ROI rather than maintaining continuity,” he explained, which has “strongly discouraged” those in the C-suite from “implementing anything other than the minimum security required by law.”

A breach ups interest in investing in security, but not for long, Lieberman said. With a “half-life mentality” companies loosen the purse strings in the wake of a data breach, “diminishing back to basic security after a few months.”

He recommended that organizations “get control over privileged accounts,” at first by “generating unique and complex passwords for every individual account on the network – and changing these passwords frequently (no more shared or static passwords).” He cautioned that companies should securely store existing passwords and only make them available to “delegated personnel, for audited use, for a limited time (no more anonymous and unlimited privileged access – for anyone).”

Lieberman also advocated for developing a risk score for privileged users.

“That way, when users exhibit poor behavior while logged into their powerful privileged accounts, you can be immediately alerted and respond to the threat,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.