Privileged Password Management

According to reports in the Wall Street Journal, Jérôme Kerviel "worked late into the night, essentially burrowing into Société Générale's computers, as he allegedly built a multilayered way to hide his trades by hacking into the computer systems".

After many hours of hacking, Kerviel was able to "eliminate controls that would have blocked his super-sized bets". This was partly achieved through the use of the computer log-ins and passwords of colleagues both in the trading unit and the technology section.

Studies by the Computer Emergency Response Team (CERT) and law enforcement agencies have shown the commonality of this type of crime, with up to 90% of incidents in business relating to the loss of assets resulting from staff having privileged access to IT systems and applications.

An interesting side note from the study is that 57% of people responsible for fraud should not have had authorised system access at the time of the attack. Many used privileged system access to take technical steps to set up the attack before termination. According to a Société Générale spokesman, Kerviel had to breach five levels of controls to get away with his trades.

PASSWORD SECURITY

Privileged user accounts have been seen as the powerful accounts defined within an IT enterprise environment. Privilege passwords run on critical applications and servers, operating systems and databases.

Often generic in nature, they include, but are not limited to, accounts such as administrator on Wintel platforms, root on UNIX systems, DBA passwords and hard-coded passwords found in application scripts throughout an enterprise. If the password becomes known, multiple systems – and businesses – are put at risk. And these accounts cannot be managed by classic SSO solutions.

Today, most organisations use the same password value for many systems and devices. This reuse creates a common security hole that can be exploited by anyone who has had access to the systems.

System intruders use valid credentials to log in as a privileged user and a target systems because the privileged password was either the default value provided by the manufacturer or was very weak, easy to guess or it simply has not been changed in years

While all of the platforms accessed via a privileged password are critical and vulnerable, embedded application passwords in applications such as Websphere, Weblogic and other similar servers are particularly susceptible.

When two unattended software applications connect, they require a username and a password, which are often stored in clear text or embedded in the application code, configuration file or script.

In many cases, an application credential file can be simply copied from an application server with the passwords deciphered in a matter of minutes via the internet. A recent Cyber-Ark password survey revealed that 20% of enterprises have more than 1,000 applications and 42% of enterprises reported they never change these passwords.

This situation poses serious security risks as these powerful embedded passwords are gradually distributed undetected throughout an organisation.

TAKING STOCK

A recent Garter report concluded that too many organisations and too many users have permanent and full superuser, root or administrator privileges. This vulnerability exposes mission-critical systems to accidental harm and malicious activity. This can be addressed by using privileged password management tools.

There is not an organisation that is not vulnerable to an attack, either through deliberate targeting or through the failure of IT security staff and auditors.

The events at Société Générale should serve as a wake-up call to any organisation that has not addressed the issue of privileged password management and application password management, as it’s only a matter of time until the next crisis of access occurs.