News Archive

IT Insights

by msecadm4921

Five Security Secrets Your IT Administrators Don’t Want You to Know: by Philip Lieberman, pictured, CEO, Lieberman Software.

As valued members of your organisation, IT administrators work every day to keep your infrastructure up and available. But in today’s rush to contain operational costs, your IT administrators could be taking more shortcuts than you’d expect. And perhaps no aspect of IT suffers more from cutting corners than does security.

Here are five facts about IT security that your administrators probably don’t want you to know.

Most Passwords Never Change

Certainly, regulations may call for frequent password changes on all accounts in your infrastructure. But though your IT administrators may be tasked to change passwords on a regular basis, your organisation probably lacks the automation to reliably change what could be thousands of the passwords that matter most.
Sensitive accounts like administrator logins, embedded application-to-application passwords, and privileged service accounts often keep the same passwords for years because IT staff may not have the tools to track and change them. And, because systems and applications often crash when IT personnel attempt to change interdependent credentials, many of your organisation’s most privileged logins can go unchanged for extended periods of time.

Ad-hoc change processes and handwritten scripts might succeed in updating the passwords of some types of privileged accounts, but unless your organisation has invested in privileged identity management software you can be sure that many of the passwords that grant access to your organisation’s most sensitive information are never changed. This means that access to this data – whether by IT staff, programmers, subcontractors and others who ever had access – will continue to spread over time.

Too Many Individuals Have Too Much Access

Regardless of your written policies, highly-privileged account passwords are almost certainly known to large numbers of IT staff. And chances are, for the sake of convenience these logins have been shared with individuals outside of IT.
As a result contractors, service providers, application programmers, and even end-users are likely to have the ability to gain privileged access using credentials that may never change. Unless you’ve got technology in place to track privileged logins, delegate access, and change these powerful credentials after each time they’re used you’ll never know who now has access.

Your CEO’s Data Isn’t Private

With all the recent headlines about corporate and government data leaks, you might still be surprised to know how many individuals have access to the files on your executive’s computers, and to the data resident in the applications that senior managers use every day. Anyone with knowledge of the right credentials can gain anonymous access to read, copy and alter data – including the communications and application data belonging to your executive staff. In many cases these credentials are known not only to senior IT managers, but also to IT rank and file, application programming teams, contractors and others. More than likely your low paid help desk workers have access to more sensitive data than your CFO. And those subcontractors in India? It’s likely that they can access the CEO’s account, too.

IT Auditors Can Be Misled

If your administrators know about security gaps or failed policies that your IT auditors haven’t discovered they will most likely try to take the knowledge to their graves. IT staff have limited time to complete higher-visibility projects that influence performance ratings and paychecks, so in most cases you can forget about them fixing any security holes that your auditors fail to notice.

Security Often Takes a Back Seat

Is your IT administrators’ pay structure tied to security? No? Then they’re probably not as proactive as you might expect when it comes to securing your network. Most IT administrators won’t tell you about the security vulnerabilities they discover in the course of their jobs because they’re not paid to fight losing battles to gain resources necessary to close each discovered security gap.

Because pay packages are rarely tied to safeguarding your network, your IT administrator is also probably not taking the initiative to update her technical skills when it comes to security. As a result, even when budgets allow for purchases of new security technologies, your staff may have no clue how to actually use these new tools effectively.

Fundamentally, the security of each organisation hinges on how well IT balances convenience with controls and accountability. All too often IT is given free reign to operate under its own rules when it comes to security and resists working under the same types of controls that apply to others in the organisation.

Those organisations that work to bring IT into balance – introducing accountability through segregation of duties and adequate auditing controls while providing sufficient resources and incentives to provide proactive security – often come out ahead.

Related News

  • News Archive

    Ad Warning

    by msecadm4921

    Classified websites users should exercise caution say the Met Police after a near-fatal attack on a man responding to a advertisement.…

  • News Archive

    Awards For Businesses

    by msecadm4921

    The first annual Somerset West Businesses Against Crime (SWBAC) awards were held on October 20, at Somerset County Cricket Club, Taunton. The…

  • News Archive

    Shopping Parks Award

    by msecadm4921

    Teesside Shopping Park has gained the Safer Business Award, issued by crime partnership body Action Against Business Crime (AABC). Mike Clarke, Park…


Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing