As more and more sensitive information is stored electronically, the issue of securing that data has become increasingly complex. Mounting regulatory compliance requirements and the growing threat of insider attacks are forcing many organizations to address the issue of unmanaged and exposed passwords. Today, partly because of breach and disclosure legislation, many CIOs are aware that some accounts within their enterprise network are unmanaged and vulnerable.
Robert Grapes, Enterprise Solutions Specialist at Cloakware, comments: “No CIO wants to be on the front pages but unfortunately we will hear about many more before the issue of exposed passwords is solved.”
Grapes adds: “While the problem sounds simple, it is actually rather a complex security challenge to solve.”
Virginia based Cloakware, suppliers of security solutions to the government, enterprise and consumer markets, have developed a commercial solution to address the problem of unsecured passwords. “The organization should study all the requirements to solve this issue and not focus only on security,” explains Grapes. “Other criteria are just as important in selecting the proper solution, including: Security and risk mitigation, standards, performance and scalability, manageability, integration support, high availability and uptime, auditing and reporting.”
“It is not just about the security. The solution must fit within an organizations environment. It must run on their platforms, it must preserve their investment in databases and not create new silos of technology.”
According to the US Department of Justice, disgruntled former employees have perpetrated half of recent computer fraud cases. As the number of insider attacks increases in scale and complexity organizations are forced into developing more intelligent ways of addressing user identity management. Passwords in scripts and applications have become a traditional security approach to insider threats. Most IT organizations continue to use hardcoded passwords because it is an available basic form of authentication to secure vulnerable accounts. Hardcoded passwords are popular because applications, lacking the ability to authenticate using keyboard passwords or second factor tokens, must authenticate using a stored password. Typically, these passwords are hardcoded into the application script and are rarely, if ever changed.
Cloakware says: “Considering that these hardcoded passwords are known by many developers and administrators and are rarely changed, organizations should be concerned about the risks of this practice.”
“The risk is that these passwords are very easy to be used maliciously by any number of 'trusted' users without any traceability,” warns Grapes. “With full access the malicious person can cause far more significant damage to an organization than an attack using an individual user identity.”
The Cloakware solution eliminates application hardcoded passwords by using a central repository that automatically releases passwords to the unattended, but authorized, application. The central repository delivers a “single point of truth” over the release of passwords to an administrator or an application. Cloakware believes that securely centralizing passwords delivers operational efficiencies by automating the maintenance of application passwords and reducing the risk of unscheduled application outages caused by password synchronization issues. The risk of a credential breach is reduced, says Grapes, when applications can gain access to validated passwords without divulging those accounts to developers. But, admits Grapes, “the central repository also presents itself as a prime target for an attacker and thus must include a defence in depth approach to prevent the repository from becoming a honey pot for would-be attackers.”
In order to obtain a validated password the unattended application must first authenticate itself. With the Cloakware solution application authentication uses a combination of “biometrics” and cryptographic techniques. Describing application biometrics Grapes comments: “In the human world we are able to use second factor tokens or human biometrics to prove that we are who we say we are. In the digital unattended world we use a variety of run-time criteria to help establish the identity of an application. These values, in combination with a valid mapping record can be used to uniquely identify one application from another and prevent many sophisticated attacks.”
Automation is one of the key elements of Cloakware’s approach to managing passwords in the data center. Not only does it deliver the efficiency needed to enable frequent and rapid password changes but it also improves the security of the solution by eliminating human knowledge from the process. Centralization is another key element of the process because it eliminates widely distributed password knowledge and enables a single point of policy control over the release of passwords.
Internal attacks, while fewer in number, are far more financially damaging than external attacks. It has been shown that of the computer fraud cases perpetrated by insiders, most included the exploitation of weak, unchanging passwords on servers to which the insiders had some level of access.
“In the end it all comes down to protecting the data,” says Grapes. “And access control is one way of protecting access to data.”