| Recommendations |
|---|
| Management of privileged users should not be left to
IT |
| All default privileged user accounts should be
closed |
| No privileged user accounts should be shared |
| Privileges should be kept up to date, limited to real
needs |
| Businesses should enforce segregation of duties for privileged
users |
| Log files should be secure to prevent tampering by privileged
users |
| Automated tools should be used to enforce best
practices |
Bad practice in managing privileged IT users is threatening
the security of European organisations, a study has
revealed.
Despite their trusted position, privileged users are frequently
the weakest link in the corporate security chain, according to the
study by research firm Quocirca.
Poor management, inefficient manual processes and lack of
awareness are widespread in over 270 European companies polled in a
survey commissioned by IT management software firm, CA.
"Privileged users are prime target for hackers because they hold
the keys to the kingdom," said Tim Dunn, vice-president of CA's
security management business in EMEA.
For this reason it is important for businesses to manage
privileged users more effectively instead of relying on them to
police themselves, he said.
The fact that any mistake by a privileged user can have a
serious operational or security impact on the business and the fact
that these users can turn rogue, are another two key reasons for
the business to ensure greater control, said Bob Tarzey, analyst
and director at Quocirca.
The study revealed that although most European businesses are
adopting IT management standards like ISO 27001, 36% of those
certified admitted to non-compliant practices such as sharing
privileged user accounts and using default user names and passwords
for these accounts.
An average of 50% of survey respondents admitted that their
organisations allowed the sharing of privileged accounts across the
various IT systems including databases and security
applications.
Only 44% of UK organisations could confirm that administrator
accounts were not shared.
"Where privileged accounts are shared, businesses have no idea
who is doing what, so there is no real accountability," said
Tarzey.
Many organisations are failing to monitor the actions of
privileged users and some are not even aware of all the privileged
user accounts that are in operation, he said.
The survey showed that some 60% of organisations that claimed to
have implemented the ISO 27001 standard had no tools to control
privileged users.
Despite the availability of privileged user management systems,
only 26% of European organisations surveyed have deployed them in
full.
"The biggest reasons are lack of budget, lack of awareness of
the threat, lack of expertise and failure to see IT security as a
business enabler," said Tarzey.
According to Tarzey, the introduction of automated tools is the
only way businesses can hope to manage privileged users
effectively.
The survey revealed that 29% of UK organisations rely on manual
controls, but these are time-consuming, expensive, unreliable and
most importantly un-auditable, said Tarzey.
Businesses need to use purpose built tools to manage users
accounts, assign privileged user account access and provide
continual monitoring of privileged user activity, he said.