Poor privileged account management practices leave security gap

Many European companies are sharing access to privileged accounts, according to a new study.

New research suggests many European companies are going against security best practices and allowing privileged accounts to be shared amongst groups of users.

Also referred to as admin, root or emergency accounts, these give users greater access privileges and control over parts of the system, as well as the ability to make damaging changes, either by accident or design.

But a new study of 270 companies shows that many organisations fail to monitor or control the use of privileged user accounts, which is in breach of most standards, including ISO 27001 and PCI DSS.

"Business managers would be shocked if they knew how much power some of their staff have, and how much damage they could inflict," said Bob Tarzey, a director of research consultancy at Quocirca Ltd., which carried out the study.

He explained that if accounts were shared between users, or not carefully monitored, then it would be impossible to identify who carried out what actions on any system. Poorly protected admin accounts are also often targeted by hackers.

Create a privileged account policy

Mark Diodati reviews how to secure user accounts with a policy that incorporates privileged account best practices.
The research found that privileged account management is given a low priority in most companies, where staff members are too busy dealing with more pressing problems, such as malware and Internet threats.

The study was commissioned and sponsored by IT management company CA Inc. The head of the company's security business in Europe, Tim Dunn, said: "Privileged user accounts need managing, as do privileged users. This all too often comes down to the privileged users policing themselves."

He said that privileged user accounts are often left with their default settings. "Commonsense says these should be changed immediately, but often they are not. When this is the case, it is not just internal privileged users that have access, but any hacker who may want to take a look at your data," he said. Dunn cited the example of British hacker Gary McKinnon, who broke into Pentagon systems having gained much of his access through privileged user accounts that had been left with the default settings.

Dunn said that while most standards of good practice advocate a principle of least privilege -- where users can view only what they need, for as long as they need it -- in practice, poor privileged account management allows users to have "the keys to the kingdom," with the ability to view files they had no need to see.

Also, revocation of accounts should be tightened up so access rights do not continue after they are no longer needed, he said. For example, rogue trader Jérôme Kerviel was only able to manipulate the systems at financial-services company Société Générale in 2008, resulting in losses valued at approximately 4.9 billion euros, because he had worked in the back office previously and had maintained his access rights.

The Quocirca research covered 14 European countries and focused on large corporations from a range of industrial sectors, including government. It found that even companies that had claimed to have implemented the ISO 270001 standard still allowed sharing of privileged accounts, even though the standard requires that "the allocation and use of privileges shall be restricted and controlled."

In addition, the Payment Card Industry Data Security Standard (PCI DSS) recommends "auditing all privileged user activity," which is impossible with a shared account.

Tarzey said organisations should try to automate how they manage accounts. "Manual methods are inefficient, and they cannot be properly audited," he said. "You need to be able to link into your identity and access management system."

The main reasons for companies not doing more, according to the research, were a lack of budget and a general lack of awareness of the problem.

CA's Tim Dunn said responsibility for privileged account management should be taken out of IT and owned by business and risk managers. "You can't delegate this to IT and let them police themselves," he said. Dunn added that log files should also be properly secured so that they could not be altered.

Read more on Identity and access management products