Hello Security folks,
Please share your opinions around this topic as I could really use some useful info.
Privileged passwords we assume as passwords of the accounts used to manage critical infrastructure (routers/switches/firewalls etc.),including servers, user workstations etc.
I am pulling this topic out again as recently I encountered few cases where companies still manage these on sheet of paper locked in a drawer in the CIO's office for example.
This obviously introduces lots of risks related to lack of hashing/encryption/physical vulnerabilities etc.
I guess there would be no argument that this is unacceptable nowadays at least for companies that deal with sensitive information.
I believe the question slightly directs to the debate around whether it's more secure to use local admin accounts or network ones privileged. I assume - smaller companies - local... larger enterprises - network but we still see all options. What do you think about all these things and especially - how you feel should the passwords be secured of local admin accounts that are not centrally managed.
If you are running a windows environment you can look up Microsoft's LAPS (Local Administrator Password solution) as it offers central management, random Password generation and Audit trails among other features all at the sweet price of free99. So any organization can implement it at no cost.
Any kind of free tool is not a great security strategy! When looking at statistics around breaches for the last several years 90% of all organizations have been hacked, and a report from Mandiant states that 100% of all breaches have involved stolen or misused privileged accounts.
Today when looking at Privileged Accounts they represent the largest security vulnerability an organization faces. And why is that?
Simply put…. privileged accounts allow anyone who gains possession of them to control the organizations resources, disable security systems, and access vast amounts of sensitive data, and all predictions point to privileged accounts abuse worsening in the future. Organizations need to invest in a proper Privileged Account Security Solution (PAS), one that offers a multi-layer security approach such as: (1) secures and protects all privileged account credentials; (2) access, monitor and record all privileged activity; (3) analyze and detect high-risk behavior - to name a few. Privileged Account Security is not just a Password Management tool and that is the mistake people / organizations make!
LAPS is not just any free tool. It is a Microsoft product ( don't forget Active Directory is free too). Besides as Security professionals we have to provide the best Secure solutions for the situation. In most cases that situation is an organization without a budget (whether by choice or based on financial situation).
I always go down the Lean Stat-up approach to Security, not every organization needs to start with the most expensive product on offer where they end up using only 10% of the features while paying 100% of the cost.
A PAM solution is not a silver bullet either as there are other components that possibly require investment which increase overall security/ defense in depth. So I think it will be a good idea to free up finances for additional solutions.
I agree with some of your comments below - there is no silver bullet, and yes every organization has different situations & challenges (Financially). I just wanted to point out some of the real risks happening in the PAM space today, which is also becoming a regular theme in the news - Former employee visits cloud and steals company data (www.csoonline.com). With the growing tend of cloud, mobility and shadow IT, perimeter security is not providing the layer of protection it once did, and now the focus has to come from the inside of the network managing the ID's and credential's of individuals who have elevated account access to sensitive data.
Guys, thank you for this debate - really healthy listening to you too. I do not mind sharing any tools/systems people are familiar with - this is also part of the discussion - I enjoy when discussing a security flaw - to also point out possible solutions out there, especially on 0 cost :). I agree with all your statements @cruetz, just want to make it clear that I did not intend to sink deeply in the account management, rather wanted to focus on password management piece from the account management area. The biggest concern for me is the decentralized password management which usually is with the local accounts (admin or not) - that's why I wanted to see what do you guys think of that and how should these type of passwords be managed (considering my recent experience where they were kept plain text on a piece of paper in a drawer).
Really interesting arguments from everybody - thanks for your input guys.
Centrally managed accounts would allow better manageability, but in some scenarios this may not feasible, either because standalone systems can't be integrated with AD / use a RADIUS / TACACS system, or when an environment must be kept highly secure.
In my organization, we ensure the application of account and password standards for local systems as well, so the passwords are maintained in accordance with requirements (complexity, length, expiry, lockout, etc.)
Since system owners are ultimately accountable for system use, local account passwords are given to them, to 'delegate administration at their own risk.'
To beef up security even further, you might consider using a 'dual control' system, where an adequately long & complex password is split into 2 and each half is maintained by a different person. This way, you can have a very low risk of account compromise --- unless there's collusion.