Business Issues -> Compliance
By: V Balasubramanian, Marketing Manager - IT Security Solutions, ManageEngine, a division of ZOHO Corp
Published: 2nd January 2013
Copyright ManageEngine, a division of ZOHO Corp © 2013
If you have the habit of using the same password for all your online accounts, you might end-up becoming a cyber-attack victim!
2012 had been fabulous in many counts, but when it comes to information security, it had indeed been a year of high profile security breaches and identity thefts across the globe. Individual users and mighty enterprises alike have fallen prey to hackers. High profile cyber-attack victims this year include Zappos.com, one of the largest online retailers dealing with shoes and apparels; Linkedin, Dropbox and numerous others.
And in early December 2012, a shocking report revealed that a disgruntled IT administrator at a Swiss-based spy agency had allegedly downloaded terabytes of counter-terrorism information shared among the intelligence agencies in US & UK and was eyeing at selling that off to foreign and commercial buyers.
If you dig into most of the cyber-security incidents reported this year, you would realize that password reuse and insider threats have emerged the most dangerous security IT security issues in 2012. Incidentally, the solution to combat both the issues lies in deploying a Password Manager!
Password Reuse Affects All – Individuals & Enterprises Alike
With even tech-savvy users tending to reuse the same password across many IT applications and websites, identity theft at one place leads to a compromise at numerous other places. Nowadays, it is quite common for users to use the same login credentials for multiple sites—social media, banking, brokerage and other business accounts. If the password gets exposed in any of the sites, in all probability hackers would be able to easily gain access to all your other accounts too.
If you have the habit of using a single master password for all your accounts, be prepared for security surprises and shocks!
It is always prudent to have unique passwords for every website and application and supply it ONLY on that site/app. When there is news of password expose or hacks, you can just change the password for that site/app alone. Frequently changing passwords as a habit is always a great one to have.
But, here comes the problem: You will have to remember multiple passwords—sometimes in the order of tens or even hundreds. It is quite likely that you will forget passwords and at the most needed occasion, you will struggle logging in.
The way out: Use a Password Manager
Just like you have an email account; consider using a password management application too. In order to combat cyber-threats, proper password management should ideally become a way of life. Password Managers help securely store all your logins and passwords in a centralized repository. In addition, you will get an option to launch a direct connection to the websites / applications from the password vault’s GUI itself. Saving you even the ‘Copy & Paste’ task, logging in is just a click away. Once you deploy a Password Manager, you can say goodbye to password fatigue and security lapses.
Insider Threat – The Emerging Issue for Businesses
Password Managers could safeguard business enterprises from yet another emerging threat. As things stand today, the biggest threat to the information security of your enterprise might be germinating inside, right at your organization. The business and reputation of some of the world’s mightiest organizations have been shattered in the past by a handful of malicious insiders, including disgruntled staff, greedy techies and sacked employees.
In most of the reported cyber sabotages, misuse of Privileged Access to critical IT infrastructure has served as the ‘hacking channel’ for the malicious insiders to wreak havoc on the confidentiality, integrity and availability of the organization’s information systems, resulting in huge financial losses. In government agencies, insider threats might even result in jeopardizing the security of the Nation.
It is common to see organizations storing privileged passwords that grant virtually unlimited access privileges in haphazard manner in volatile sources like papers, text files and Excel sheets. Lack of internal controls, access restrictions, centralised management, accountability, strong policies and to cap it all, haphazard style of privileged password storage and management make the organization a paradise for malicious insiders.
Tightening Internal Controls – Need of the Hour
One of the effective ways to combat insider threats is to tighten internal controls. Access to IT resources should strictly be based on job roles and responsibilities. Access restrictions are just not enough. There should be clear-cut trails on ‘who' accessed 'what' and 'when’.
Internal controls could be bolstered in organizations by automating the entire life cycle of Privileged Password Management enforcing best practices. Enterprise Password Management Solutions precisely help achieve this.
Deploying a password management solution would indeed be the best start towards information security this year!
Posted: 2nd January 2013 | By Advent IM :
Good to see you talking about Insider Threat too. I read for too many articles with the focus on 'cyber' which is very misleading and creates vulnerability by all but ignoring human threat from the inside, whether it is malicious or just plain daft behaviour.
Posted: 2nd January 2013 | By V Balasubramanian (Author):
IT Security Researchers repeatedly point out that insider threats and identity theft incidents are on the rise and it will only keep growing due to many reasons, including economic situation, social factors and technological advancements that make the tech-savvy criminals more creative every passing day!
Posted: 2nd January 2013 | By Aaron1 :
The use of a password management tool is indeed the way out of it. I personally use SplashData's SplashID Safe. They released a version that is highly advantageous for IT projects where multiple-user level password sharing and management is securely facilitated.
Posted: 3rd January 2013 | By Scott Weil :
Let me go one step further. The issue that haunts information security is that we have so few real practitioners. Mr. Balasubramanian, most people know they should use unique passwords, but so few people actually do it. Most people think they know the importance in operational security of establishing system baselines, but few people know how to do that. Most people know the importance of reviewing logs to see deviations from the baseline, the indication of a breach, but few people take the time to review the logs or even automate the review of the logs. Most people can spell IT Controls, but few actually take the time to implement 2 or 3 controls fully. Good security is simple. That doesn't mean it is easy, but it is simple if one follows the disciplines described in your article.
Posted: 3rd January 2013 | By V Balasubramanian (Author):
Well said, Scott Weil. Excellent analysis. Security best practices should become a way of life, if one wants to overcome the perils.
The messages above were all contributed by IT-Director.com readers. Whilst we take care to remove any posts deemed inappropriate, we can take no responsibility for these comments. If you would like a comment removed please contact our editorial team.
We automatically stop accepting comments 180 days after a post is published. If you would like to know more about this subject, please contact us and we'll try to help.
Published by: IT Analysis Communications Ltd.
T: +44 (0)190 888 0760 | F: +44 (0)190 888 0761