TECH TALK
P
rivileged password management,
sometimes called enterprise
password management, refers
to the practice and technique of
securely controlling credentials for
privileged accounts, services, systems,
applications and more.
But unfortunately, with so much power
inherent in privileged credentials, they
are ripe for abuse by insiders and are
highly coveted by hackers.
Password attacks come from all angles.
Some programmes, such as John the
Ripper and L0phtCrack, can even crack
complex passwords, while Pass-the-
Hash toolkits can be lethal without
even cracking the password. In fact,
according to the 2017 Verizon Data
Breach Investigation Report (DBIR),
a whopping 81% of hacking-related
breaches leveraged either stolen and/or
weak passwords.
For holistic management of privileged
accounts and credentials, there are
eight core areas that you should focus
on. Most likely, achieving holistic
enterprise password management
will follow the course of a graduated
approach but let me share some insights
on where to start and how to proceed.
“Password
attacks come
from all
angles.” Discover all shared admin, user,
application, and service accounts,
SSH keys, database accounts, cloud
and social media accounts, and other
privileged credentials – including
those used by third-parties/vendors
– across your on-premise and cloud
infrastructure.
“All privileged
credentials
should be
centrally
secured,
controlled,
and stored.” Discovery should include every platform
(Windows, Unix, Linux, Cloud, on-
prem, etc), directory, hardware device,
application, services / daemons,
firewalls, routers etc. This process
should also entail the gathering of user
account details that will help assess
risk, such as privilege level, password
age, date logged on, and expired, and
group membership and services with
dependencies to the account. Discovery
should illuminate where and how
privileged passwords are being used,
and help reveal security blind spots and
malpractice, such as:
www.intelligentcio.com
• Long-forgotten orphaned accounts
that could provide an attacker with a
backdoor to your critical infrastructure
• Passwords with no expiration date
• Inappropriate use of privileged
passwords—such as using the same
Admin account across multiple
service accounts
• SSH keys reused across multiple servers
Bring privileged accounts and
credentials under centralised
management: Optimally, the
onboarding process happens at times
of password creation, or otherwise,
shortly thereafter during a routine
discovery scan. Silos of individuals or
teams independently managing their
own passwords is a recipe for password
sprawl and human error. All privileged
credentials should be centrally secured,
controlled, and stored. Ideally, your
password storage supports industry-
standard encryption algorithms, such as
AES 256 and Triple DES.
Implement password rotation across
every account, system, networked
hardware and IoT device, application,
service, etc. Passwords should be
unique, never reused or repeated, and
randomised on a scheduled basis, upon
check-in, or in response to specific threat
or vulnerability.
Bring application passwords under
management: Simply put, this requires
deploying a third-party application
password management solution that
forces applications and scripts to
call (or request) use of the password
from a centralised password safe. By
implementing API calls, you can wrest
control over scripts, files, code, and
embedded keys, eliminating hard-coded
and embedded credentials. Once this is
accomplished, you can automate rotation
of the password as often as policy
dictates. And by bringing the application
password under management and
encrypting it in a tamper-proof password
safe, the credential and underlying
applications are vastly more secure than
when the passwords remained static and
stranded within code.
Bring SSH keys under management:
NIST IR 7966 offers guidance for
INTELLIGENTCIO
83