20
DATA SECURITY
Try to banish the shared password
To make management and maintenance of systems
easier you may currently have shared accounts being
used by multiple users to login. Obviously this will
make it extremely difficult to tie individual users to
these shared accounts. The fact that the password
is known to a number of individuals presents a
fundamental weakness and increases your attack
surface significantly. Deploying a solution to manage
privileged access should also allow users to continue
to login with local system or admin accounts, without
them needing to have the passwords for them. These
passwords can then be stored automatically and
encrypted in a password vault, dramatically improving
their security.
A technology can only be as effective as the people who use it.
Secure Data
A tweet sent by another individual with knowledge
of the hack suggests that credentials for one internal
tool were woefully weak. “TalkTalk has a ISP tool
called ‘Davinci’ and the admin login for that tool was
username: tim password: tim,” he said. But how can
organisations be expected to secure access to data
on the inside? Where is the right place to start? It’s
always best to begin with what you know.
Manage Access to What’s Most Precious
It’s very likely that you already have some
understanding of who your most privileged users are
or the systems that are the highest priority for you.
If you can do nothing else, begin to secure access
to these. Securing that access begins by asking
the simplest questions: what data exists on these
systems? Who has access to them? How do they use
that access? Managing privileged access successfully
should mean you’ll be able to define how users access
these resources as well as having a complete audit
of that access. Beginning here you’ll find that you’re
dramatically reducing your risk by protecting what
you know is most precious.
Look to Deploy Fast and Secure Quickly
You might be thinking that this will obviously mean
not just an investment in technology, but will also be
time consuming to deploy and manage. This doesn’t
have to be the case and attempting too much is a
well-recognised factor contributing to the failure of
Identity & Access Management projects (Gartner).
Instead, be clear about what you need to secure and
deploy a solution that minimises the impact on day
to day operations and will be up and running in just a
few days.
A technology can only be as effective as the people
who use it, therefore keep in mind the needs of
the privileged users who work with it daily. A single
platform with a single management console is easy
to work with; minimal or no training requirements
are always welcome. Try to identify products that fit
with your existing infrastructure and not the other
way around. It is possible to get the very best in
control and visibility without major disruption to your
network and business.
Conclusion
For all the accusations of failure directed at TalkTalk
you would have to concur with Dido Harding’s
assessment of cyber-attacks as “the crime of this
generation” and stating it would be “naive” to rule out
the prospect of the telecoms firm suffering something
similar in the future. There have been enough hacks
like this one in recent times for us to be sure that
cyber threats are definitely a board-level issue today,
now it comes down to having strong, IT-literate
leadership. If cyber crime is the number one threat to
UK business, why are there so few technology experts
on those boards? TalkTalk is potentially the battering
ram that security professionals can use to open up
the C-suite and force their hand in investment to
protect businesses brands, share prices and, most
importantly, their customers.
www.networkeuropemagazine.com