Privileged and Shared Accounts – Why You Must Close this Security Hole

One only has to consider the case of Jerome Kerviel, the rogue trader at French bank Societe Generale, who used multiple shared passwords and accounts to execute fraudulent trades, to appreciate the risks shared account logons pose to the modern organisation.

By  Stephane Fymat | Jan 19, 2010
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

One only has to consider the case of Jerome Kerviel, the rogue trader at French bank Societe Generale, who used multiple shared passwords and accounts to execute fraudulent trades, to appreciate the risks shared account logons pose to the modern organisation.  Kerviel's actions cost the bank €4.9bn and serious ramifications were felt across the global financial markets.

 

“... failing to manage shared passwords adequately can expose organisations to serious vulnerabilities, particularly in the case of privileged accounts where a disgruntled employee could potentially have the power to hold an entire network hostage”


Stephane Fymat
Passlogix

The City of San Francisco found itself in a similar situation last year when a disgruntled network administrator, Terry Childs reset all administrative passwords to the routers for the city's wide area network.  His actions prevented administrators from managing the system as he essentially held the City to ransom.

What these two stories demonstrate is that failing to manage shared passwords adequately can expose organisations to serious vulnerabilities, particularly in the case of privileged accounts where a disgruntled employee could potentially have the power to hold an entire network hostage.

Keeping track of privileged user and shared access accounts is also important for accountability.  Unfortunately, however, many organisations simply don't know for sure who has access to shared passwords.  Far too often, the entire IT department knows the details of what is supposed to be a limited-access password.  According to a 2008 survey of its members by the Independent Oracle Users Group, nearly 40 per cent of organisations had no way of monitoring the abuse of data by privileged account users.

As a result of high-profile incidents like those at the City of San Francisco and Societe Generale, legislation and industry regulations such as PCI DSS are increasingly prohibiting the sharing of accounts between users.  But this causes big headaches for many IT managers in both the public and the private sector, as shared and privileged accounts have become a necessary component of today's enterprise IT infrastructure.  

All kinds of employees, from office administrators and temporary workers to nurses and civil servants require access to shared account logons for enterprise applications and systems for all kinds of reasons.  IT managers therefore need to strike a balance between providing the flexibility required to meet end users' needs and ensuring security and compliance with corporate policy and the latest industry regulations and legislation.

So, how do they protect themselves from the risks in a cost-effective manner?

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter
Helpful Links

  • Yankee Group Mobile WAN Optimization Report

    Mobile work continues to evolve. Your organization must keep up with the demands of its mobile workforce. This report introduces the concept of mobile WAN optimization and provides three case studies including RCM, PRTM and Einstein that highlight how this emerging technology can help IT departments achieve what previously appeared to be conflicting goals. Read >

  • Network Security Resources

    More threats than ever before pose a danger to today's enterprise network. Get the latest tips and intel on the newest risks in our guide to network security resources. Read >

  • Extreme Savings: Cutting Costs with WAN Optimization

    Did you know it's possible to cut IT costs without impacting day-to-day IT operations? In fact, when you download this whitepaper from Riverbed on cost-savings through WAN optimization, you'll discover how businesses of all different sizes have realized a return on investment in just a few months through significant hard cost savings in areas such as bandwidth reduction and IT consolidation. It's called Extreme Savings and its only from Riverbed. Read >