It’s been an active season for criminal hackers, rogue IT administrators and others with vindictive motives and the ability to exploit weak and outdated security systems. Let’s recap with a look at just a few of the security breach fiascos we’ve seen in recent months:
- A vengeful fired IT administrator logged into his former account. Then he deleted 15 virtual machines and inflicted an estimated $800,000 in damages;
- A Bank of America employee leaked hundreds of customers’ confidential account information to scammers. This resulted in more than $10 million in losses;
- Hackers broke into the PlayStation Network and made off with the personal information of more than 77 million members. At the time of this incident, it was the fifth largest data breach ever.
I could easily list a dozen or more similar examples, but I won’t. Since you’re reading this blog these security breaches are old news to you. You’re most likely aware of the risk that determined criminal hackers outside your organization, as well as malicious (and mistake-prone) insiders can pose to your confidential data, regulatory compliance status and reputation.
And to take the severity of the situation a step further, Roger Grimes points out in a recent column that a striking difference between the breaches in today’s headlines, versus those from years past, is the sophisticated level of criminal attack motivated by financial gain. Gone are the days when most hacks were mere nuisance events with little, if any, harmful impact.
“We are in a new computer security world now,” Roger writes, and I agree. We all realize that we’re well past the age when an IT group could run antivirus software, put up a firewall, update Windows patches and thereby maintain a tolerable level of security.
How to Avoid Data Breaches
However, based on my years of experience working with some very large and prominent enterprises, I learned that there are some frequently overlooked security practices that organizations could begin implementing today in order to increase their security postures quickly. Here are several suggestions for maintaining tight control over critical systems and data in the modern enterprise:
Employee Only Access: As the Shionogi story proved, just because you terminate a troublesome IT administrator doesn’t mean you’ve seen the last of him. Dismissing a wayward employee is more than an HR formality. Particularly for IT staff, once you decide to part ways with an employee you must immediately revoke any logins used to access your organization’s systems. Pay particular attention to privileged account access that IT personnel use to install systems and applications, change configuration settings, and generally obtain free reign throughout the IT infrastructure.
Document Access Points: Shutting off privileged access to former employees and contractors is one thing. Knowing exactly what to shut off is a different matter. Privileged accounts reside on almost every server and workstation operating system, line-of-business application, database, Web service, and hardware appliance in the IT infrastructure. Yes, there a lot of them. If you’re in a large organization, you most likely have thousands of such accounts. And that includes some that you don’t even know are there. But each one of these accounts represents a potential point of vulnerability into your network. So find them, track them and keep the list current.
Beyond Password Management: You probably have a password policy for user logins – complexity, change frequency and so on. That’s important, but if you’re not managing privileged passwords, the logins for the powerful privileged accounts described above (including process and service accounts that human users may not even see), you’re not going to prevent the types of serious, criminally organized data breaches mentioned at the beginning of this post. Once you’ve documented where the privileged accounts reside in your infrastructure you need to set up each account with its own unique and cryptographically complex password and then track access.
Prove It: How do you track access to privileged accounts? With detailed reports that show which IT admins use privileged account passwords, when and for what purpose. By maintaining this level of oversight on privileged access, you’re not only discouraging abuse of these accounts, you’re providing an audit trail leading back to the precise cause if a problem does occur. These reports should be run frequently. They should be available to IT management and executive staff. And they should be accessible on demand to regulatory compliance auditors.
Limit Exposure: Keep your privileged account passwords available only to audited users on a need-to-know basis. With time-limited access and frequent changes to passwords, there are no static passwords available on sticky notes, shared spreadsheets or in a sys admin’s memory. And that means no tricky social engineering exploits or rogue IT personnel can use a known privileged account password to wreak mayhem in your network. Take it even one step further and use remote logins so that your delegated users and contractors never actually even see the passwords that grant them elevated access.
All of this may seem like a daunting endeavor. But consider the ramifications if you are involved in one of the high-profile, costly data breaches discussed at the top of this post. No one can predict the target of the next attack. Incorporating these measures into your existing security practices could prevent a tremendous amount of turmoil for you down the road.
Of course I’d be remiss if I didn’t tell you that there are privileged identity management solutions available now that can automate all of the functionality I described above.
cheap viagra online buy sildenafil viagra over the counter usa 2020
is generic cialis safe cialis for sale fastest delivery of cialis buying online
non prescription viagra buy cheap viagra generic viagra india
buy prescription drugs best pharmacy online the best ed pills
viagra without a doctor prescription canada generic viagra generic viagra cost
canadian pharmacy generic viagra viagra cheap viagra 100mg
viagra otc buy generic drugs buy generic viagra
buy viagra online cheap generic viagra online mail order viagra
generic viagra cost buy viagra online discount viagra
prescription drugs without doctor approval generic ed pills natural ed cures
ed products cheap ed pills buy prescription drugs online without
erectyle disfunction ED Pills Without Doctor Prescription how to overcome ed naturally
mens ed how to cure ed naturally top rated ed pills
lowest price cialis cialis does cialis lower blood pressure
30 mg cialis what happens buy tadalafil online cialis
canadian drugs online canadian drugstore online how to help ed
erectile dysfunction natural remedies
natural ed medications ed meds online without doctor prescription best online canadian pharmacy
sildenafil without a doctor’s prescription
supplements for ed ed medications online viagra without doctor prescription
online meds for ed
ed vacuum pumps cheap pills online ed treatment pills
mens erection pills
https://prednisonegeneric20.com/ price of prednisone tablets
https://prednisonegeneric20.com/ prednisone pack
https://valtrexgeneric500.com/ valtrex without prescription us
https://ventolin100mcg.com/ ventolin prescription australia
personal loans for bad credit payday loans online
buy generic drugs cheap tablets canadian pharmacy