I must confess. I am a little surprised by the media’s response and coverage of the eBay information security breach where hackers gained access to the personal data of 145 million customers over a four month period. During this time, cyber criminals accessed a database containing customer names, their email addresses, birth dates, encrypted passwords, physical addresses and phone numbers. What also surprises me is the response of information technology leaders who seem oblivious to the possibility their systems are at risk of being breached while they read this sentence.
You may recall my last post on this topic relating to Target organized cyber crime. In retrospect, the irony of that blog is that when it was posted in February, while many choked down the words, “it will never happen here,” hackers were establishing a beachhead inside of eBay. If I’m an information security leader, rather than asking “could it happen to us?” I would start asking, “Where is it happening now?”
Information Security Damage Control
I am surprised by the media’s response because it seemed to focus on educating users about password security best practices. While USA Today encouraged consumers to not reuse the same password on multiple sites, Forbes encouraged readers to think of unpredictable passwords and Mashable reminded everyone of the benefits of regularly changing passwords.
I would hope someone would recommend educating IT organizations on policing their operations, administrators, and administration activities. In the case of eBay, none of the recommendations mentioned would stop the breach. Customers were not the ones who posed the IT security threat. Customers were not at fault for using weak passwords. Even with routinely changing passwords, one would experience periods of vulnerability over a four-month period.
The recommendations cited are intended to mitigate potential customer damage. They do not address the security threat posed by privileged user accounts and identities.
Privileged Account Management Threats
With the help of federal investigators, eBay determined the intrusion happened when a "small number of employee log-in credentials" were compromised giving cyber criminals access to eBay’s corporate systems. Lack of privileged account management controls created such a public outcry to protect customer data that it cost Target CEO Gregg Steinhafel his position. As for eBay CEO John Donahoe, he seemed to better manage the PR accountability backlash. At the same time, whether eBay’s board of directors takes a similar course of action remains to be determined.
In a recently published survey of information security professionals by Lieberman Software, over 13% of IT security professionals indicate they can access previous employers’ systems using old credentials. Additionally, one out of four organizations do not change account passwords within the 90-day time frame cited by most compliance regulations. For most enterprises, the potential number of unauthorized administrators with privileged account access to critical systems represents a sobering figure and a formidable threat.
Privileged Account Management Controls
Last year the Edward Snowden NSA scandal and Target information security breach highlighted an organization’s vulnerability to rogue and compromised administrators. Each case represents a contractor’s unauthorized use of access privileges. If you are not doing so already, start deploying strict privileged account management controls immediately.
To minimize unauthorized use of privileged credentials, an enterprise should replace their legacy systems. In its place, deploy instead an identity manager with the following capabilities:
- Automate user provisioning and access management for new hires and transfers. Stop grandfathering privileges when users change roles. Also, use workflow to ensure access is appropriately approved.
- Automate the termination of accounts when employees and contractors leave.
- Enforce a strong password policy and apply a different password policy for administrators with stricter expiration and strength rules.
- Stop the practice of shared and static passwords. Require two-factor/multifactor authentication for privileged account access to critical systems.
- Leverage unmanned administration to receive real time unusual activity alerts. In Target’s case unmanned administration would have detected and reported the abandoned servers used as a beachhead for the assault.
- Automate group membership management and provisioning.
- Deploy robust auditing capabilities including integration of password management into a SIEM solution.
- Initiate directory cleanup and directory audits to validate privileged identities and user accounts with out-of-norm privileges.
According to a Symantec global 2013 Cost of Data Breach Study, information security breaches costs American companies on average $5.4 million. As more high-profile breaches, like at eBay, Target, Adobe, Bitly, and the NSA surface, organizations need to assume privileged credentials are being used to engage in unauthorized activities. While external attacks remain more common, attacks by insiders are more damaging to an organization, its customers, and brand. For this reason, an identity management system with privileged account management controls becomes essential to avoiding the cost and damage of an eBay-like security disaster.
Get the Top 10 Identity Manager Migration Best Practices Workbook
Start your migration from legacy software with the Top 10 Identity Manager Migration Best Practices Workbook. Use this workbook to think through your information security risk before you transition to next generation identity manager software.