UK businesses warned to urgently review privileged credentials policies
Andy Harris
Osirium, a leader in Privileged Access Management today shared recent research findings which it hopes will encourage businesses to actively review their existing privileged credential policies.
Osirium has found that companies are still exposing themselves to possible external attacks because of the clear text transmission of system administrator login details.
With today’s growing number of mobile workers, remote management tasks are becoming more critical and in order for these processes to be managed more effectively, privileged credentials are often embedded in these applications or tools and this is where potential risks lie.
“It seems obvious stating that if the wrong individuals get access to these credentials, they may use them for malicious purposes, but it seems that companies continue to be oblivious to these threats, or just hope that it won’t happen to them,” said David Guyatt, CEO at Osirium. “To make things worse, these credential details often embedded in applications so they rarely get changed, even after they have unknowingly been compromised.”
Osirium warns businesses to pay more attention to this issue, because if shared group credentials are being used, then an attack on one device could well affect all the others in the same group.
“This risk is exacerbated by the fact that privileged credentials are often not just stored but also transmitted in clear text,” added Bob Tarzey, Analyst and Director at Quocirca; the organisation that conducted the research for Osirium. “The research shows that around 65% of organisations admitted that system administrator login details are sometimes transmitted this way. The problem also arises when remote system administrator tasks are carried using services such as Telnet, which sends communications in clear text.”
This issue is one that can be quickly resolved however, as applications and tools needing privileged access rights should instead be administered and monitored in the same way as ‘human’ privileged users are – for example not using group access privileges. Furthermore, the assigned login details need not be transmitted in the clear. New technologies can now ensure that passwords are easily masked or, better still, the entire transmission is encrypted.
“Our objective is to automate a lot of these typically time consuming processes that ensures systems remain secure without system administrators continually managing updates and changing passwords,” continued Guyatt. “Ultimately, managing credentials correctly is a lot easier than the clean-up operation after a security leak.”