Confessions of a CTO

By | May 16, 2005

Maybe it’s the culture of Jerry Springer, Dr. Phil, and Oprah, but whatever is at the root of it, it seems that many CSOs and CIOs have suddenly decided to bare their souls and come clean, and as a result are discovering that like most things in life it does help to talk about your problems!

With the growing awareness of the need to protect information, and the almost daily reports of data theft, it is becoming increasingly difficult to ignore what is potentially a problem of enormous proportion in most organizations.

Most organizations as we know depend extensively on distributed computing architectures. And for every new device, new operating system, new piece of middleware, and any other new component requires another set of privileged accounts used by administrators and operators. And in many cases, organizations are unaware of just how many of these accounts may exist in a given application or system.

These privileged accounts provide access to the computing environment, frequently allowing unregulated access to files, programs, and data, and if they aren’t properly protected and managed, they represent a significant risk to any organization.

But privileged accounts aren’t easy to manage. They are usually shared among many people, sometimes left with default passwords, and are generally unkempt. The bottom line is that many organisations today are frighteningly exposed when it comes to the security of sensitive information within their organisations, and they simply have no idea how to solve the problem. In fact in many cases the IT management has simply gone into denial because they are aware that to expose the time-bomb that they are sitting on could very well cost them dearly. So in the end it comes down to a calculated risk, head in the sand, it won’t happen to us mentality, because they simply see no practical solution.

Here are some of the more common, stress related, professional suicide confessions that are common throughout the country:

• We’re supposed to change passwords regularly but don’t because we have no manpower

• We assign administrator rights to user accounts and we hope that no one will abuse this

• We never change default passwords because we might lose them and then how could the manufacturer ever access the system to fix it!

• We’ve solved the problem of passwords by giving every system and application the same password

• We have absolutely no idea how many administrative passwords we have

One of the most frequently heard confessions has to do with not following internal audit procedures. Many organisations have a plethora of systems and applications that can only be accessed using a shared identity, for example “administrator” or “root”. In order to avoid the misuse of these identities, auditors quite rightly recommend a policy of regularly changing these passwords. This presents the CIO or CSO with a dilemma. If they strictly adhere to the policy then it will mostly likely result in personnel being permanently tasked with changing passwords, and trying to securely distribute them to those who need access to them. The alternative is to do nothing in the hope it seems that no one will discover their inactivity.

Another serious issue is the admission that management turn a blind eye to bypassing procedures in order to avoid having to share a password among several individuals. In this case, the manager simply allows groups of people to be given the necessary privileges on their personal accounts. Apart from the confession that they frequently have absolutely no idea how many administrative accounts are actually in existence on all the systems, there is the increased risk of vulnerability. Just this month, Microsoft has announced that there is a vulnerability in certain versions of Windows, that could allow remote code execution if someone is logged on with administrative user rights. This would allow an attacker to hijack the session and install programs; view, change, or delete data; or create new accounts with full user rights. There is a patch available for this problem, but in the corporate environment, the IT staff cannot simply apply patches on a daily basis, especially when it impacts production servers, although who knows what someone with administrative privileges is up to!

“We have never changed the default password that was supplied by the manufacturer” is an often heard admission. There are major corporations whose entire networks are controlled by hundreds of routers and firewalls using the manufacturer’s default password. Because they have not been able to find any effective way to securely store and change these passwords they are simply left as default!

A definite leader in the confession list is the admission that every workstation in an organisation has the same password. One financial institution voluntarily admitted to having thousands of workstations with the same administrator password with no idea how to change this! Although they generally accept that this is a huge security hole, they did not see any realistic way of managing local administrator accounts on workstations.

An occasional confession but probably one that would be a serious number one contender if the truth really be told is that the CSO has absolutely no idea how different groups apply policies. It is not unusual to be sitting in meetings and find different groups arguing, and the poor individual tasked with compliance, holding their head in their hands. The simple truth in many organisations is that there is a lack of control over how different groups within IT manage sensitive information. In one meeting it emerged that those who managed the Windows servers and associated applications allowed outsourced personnel to have administrator privileges on their user accounts, while those who managed the Unix systems had a procedure where outsourced personnel required permission to have root access to systems. When asked if the company had an Emergency Envelope procedure, the two groups started to argue in front of the vendor to the complete dismay of the internal auditors who were sitting in the meeting!

There are many other examples that we have come across but these are sufficiently damning to the respective organisations, and it is certainly the case that these are not isolated incidents. To have some measure of appreciation of the problem, a quick search of the Internet for “default password list” will return over 1400 default user accounts and passwords associated with the many applications, database software, operating systems and network devices shipped by manufacturers, and in certain cases a default account that provides full access to an application will have no default password. Add to this the myriad of accounts created by organisations, and the potential to do serious damage is massive.

Mind you it may be that the willingness to confess has something to do with the conviction that the person hearing the confession has the means to help address the problem. So if you are looking to unburden your conscience, don’t worry, there are those who can help with software that can digital manage and organize your passwords for you, so that you’ll have one less confession to make!

Leave a Reply