• United States



by David Braue

Just months out from NDB, many companies still aren’t addressing “ridiculous” privileged-account practices

Nov 15, 20174 mins
Backup and RecoveryBusiness ContinuityCompliance

Staring down a growing compliance burden, IT-security executives are warming to the clarity of the ASD Essential 8 and security audits that are helping them educate boards and pinpoint key areas for remediation in the last months before Australia’s Notifiable Data Breach (NDB) scheme comes into effect.

Audits regularly showed companies to have user accounts with full administrative rights that had often been granted to users arguing for what, Ivanti ANZ area vice president Michael Bosnar told CSO Australia, are often “ridiculous requirements as to why they need admin rights”.

Many other administrators had forgotten, or simply could not manage the administrative accounts given to network servers that were often granted full rights to other network resources; once any of these are breached, malicious outsiders – who are becoming more and more effective at cracking passwords – have the run of the business.

“Some companies get so focused on restricting behaviour and keeping a positive user experience,” he said, “that they forget they’ve got these servers with full admin rights just sitting there. All you need is for one of these servers to get hit by ransomware, and it has the keys to the castle. It’s a real issue today and it’s amazing how many organisations still haven’t addressed that issue.”

The extent of the problem was highlighted in a recent One Identity global survey of 913 IT security professionals, in which 80 percent of Australian respondents said they were having challenges managing privileged passwords – and 17 percent said they still write down the details of privileged accounts in a paper logbook.

Fully 71 percent of respondents said they only monitor some privileged accounts, or don’t monitor them at all. A third said they cannot consistently identify individuals who perform administrative activities, while 22 percent of Australian respondents said they cannot monitor or record activity performed using admin credentials.

Worryingly, 40 percent of respondents said they don’t even change default admin passwords. This exacerbated well-established poor practices by employees, whose poor password management and other security practices are creating continuing headaches for businesses.

Yet with just 1 percent of employees responsible for 75 percent of companies’ cybersecurity risk, targeting those users with tighter privileged-account controls offers an some big wins as part of efforts to clamp down on lax security controls.

Pressed by customers as to what they can do to improve their security posture, Ivanti has followed the lead of the Australian Signals Directorate’s Top 4 and Essential Eight security strategies, which include control over privileged accounts as one of their core tenets.

While these guidelines provide valuable guidance for data-security practices, customers also value dashboard-based visualisation tools that give them an easy view of compliance in areas such as control over privileged accounts, patching and other key practices espoused in the Essential Eight.

Armed with clear numbers about the organisation’s security status, security executives can approach business executives and boards with a clear picture of the current security state and the resources and strategies required to meet the requirements of NDB and other coming regulatory requirements.

Visibility “has been a big growth area for us because people just don’t know where they’re at,” Bosnar said. “But ultimately, no customer that I’ve been speaking to is looking for another point solution. They’re all looking for a framework they can hang their business around. Then they can take that single dashboard to their board and say ‘here is our plan to address this’.”

Despite the runup and the long period of planning it has afforded, Bosnar believes many companies will struggle to get compliant before the NDB deadline – potentially exposing them to fines and reputational damage as customers realise just how poorly their sensitive data is being protected.

Many companies may still end up waiting until fines are handed out before getting serious about security, he added, noting that one large company “has been hit more than a couple of times and they have not made it public. But if that happens after the legislation comes in, they could be charged.”

Avoiding this outcome will drive much of the last-minute work around improving visibility and control over privileged accounts and other potential vulnerabilities. “It’s only when you audit and penalise people for that behaviour, and warn them at least, that you will start getting a change in behaviour,” Bosnar said.

“And it’s a lot easier to sort stuff out and work proactively in advance, as opposed to coming in later and picking up bodies.”