Office Memo 18
Office Memo 18
20 May 2005

Confessions of a CTO
Maybe it's the culture of Jerry Springer and Oprah Winfrey but, whatever is at the root of it, it seems that many CSOs and CIOs have suddenly decided to bare their souls.[1] As a result, they are discovering that, like most things in life, it does help to talk about your problems. With the growing awareness of the need to protect information, and the almost daily reports of data theft, it is becoming increasingly difficult to ignore what is potentially a problem of enormous proportions in most organizations.
As we know, most organisations depend extensively on distributed computing architectures. And for every new device, operating system, piece of middleware and other kind of component, there needs to be another set of privileged accounts used by administrators and operators. In many cases, organisations are unaware of just how many of these accounts exist in a given application program or system.
These privileged accounts provide access to the computing environment. Frequently they allow unregulated access to files, programs and data. If not properly protected and managed, they represent a significant risk to any organization.
Privileged accounts aren't easy to manage. They are usually shared among many people, sometimes left with default passwords and are generally unkempt. The bottom line is that many organisations today are frighteningly exposed when it comes to the security of sensitive information within their organisations. They simply have no idea how to solve the problem. In fact, in many cases the IT managers have simply gone into denial. To expose the time-bomb that they are sitting on could cost them dearly. In the end it comes down to a head in the sand, it won't happen to us mentality because they simply see no practical solution.
In the confessional
Here are some of the more common, stress related, professional suicide confessions that are common throughout the country:
“We're supposed to change passwords regularly but don't because we have no manpower”
“We assign administrator rights to user accounts and we hope no one will abuse them”
“We never change default passwords because we might lose them. Then how could the manufacturer ever access the system to fix it?”
“We've solved the problem of passwords by giving every system and application the same password”
“We have absolutely no idea how many administrative passwords we have”.
One of the most frequently heard confessions has to do with not following internal audit procedures. Many organisations have a huge number of systems and applications that can be accessed using only by using a shared identity, for example “administrator” or “root”. To avoid the misuse of these identities, auditors quite rightly recommend a policy of regularly changing these passwords. This presents the CIO or CSO with a dilemma. If they strictly adhere to the policy, personnel will be changing passwords ceaselessly and trying to distribute them securely to those who need access to them. The alternative is to do nothing, in the hope that no one will discover their inactivity.
When sharing is not good
Another serious problem is the admission that managers turn a blind eye to bypassing procedures to avoid having to share a password among individuals. In this case, the manager simply allows groups of people to be given the necessary privileges on their personal accounts. As a result, managers frequently have no idea how many administrative accounts are in existence on all the systems. There is also an increased risk of vulnerability.
Just this month, Microsoft has announced that there is a vulnerability in certain versions of Windows that could allow remote code execution if someone is logged on with administrative user rights. This would allow an attacker to hijack the session and install programs; view, change, or delete data; or create new accounts with full user rights. There is a patch available for this problem, but in the corporate environment, the IT staff cannot simply apply patches daily, especially when it affects impacts servers.
“We have never changed the default password that was supplied by the manufacturer” is an often-heard admission. There are major corporations whose entire networks are controlled by hundreds of routers and firewalls using the manufacturer's default password. They have not been able to find any effective way to securely store and change these passwords, so have simply left them as they are.
A leader in the confessions list is the admission that every workstation in an organisation has the same password. One financial institution voluntarily admitted to having thousands of workstations with the same administrator password, and had no idea how to change this. Although they accept that this is a huge security hole, they did not see any realistic way of managing local administrator accounts on workstations.
Having a policy
An occasional confession is that the CSO does not know how different groups apply policies. It is not unusual to be sitting in meetings and find different groups arguing, Meanwhile, the poor individual tasked with compliance is holding his head in his hands.
The simple truth in many organisations is that there is a lack of control over how different groups within IT manage sensitive information. In one meeting, it emerged that those who managed the Windows servers and associated applications allowed outsourced personnel to have administrator privileges on their user accounts. Meanwhile, those who managed the Unix systems had a procedure where outsourced personnel required permission to have root access to systems. When asked if the company had an “emergency envelope” procedure, the two groups started to argue in front of the vendor, to the dismay of the internal auditors who were sitting in the meeting.
There are many other examples that we have come across but these few are sufficiently damning. They are not isolated incidents. To show the size of the problem, a quick search of the Internet for “default password list” will return over 1400 default user accounts and passwords. These are associated with application programs, database software, operating systems and network devices shipped by manufacturers. In certain cases, a default account that provides full access to an application will have no default password. Add to this the myriad of accounts created by organisations, and the potential to do serious damage is immense.
Mind you, it may be that the willingness to confess has something to do with the conviction that the person hearing the confession has the means to help deal with the problem. So, if you are looking to unburden your conscience, don't worry, there is software that can digitally manage and organize your passwords for you. You'll have one less confession to make!
[1]  In case you're wondering, a CTO is a chief technology officer, a CSO is a chief security officer and CIO is a chief information officer. Indians have been abolished.

***

Calum MacLeod, European Director of Cyber-Ark Software contributed this article. Our thanks go to him.


About Office Memos
An Office Memo is an extended comment on what is happening in the world of the electronic business and elsewhere. Some memos will have appeared in Office Jotter; others are simply referred to in it.
You are free to disagree with, amplify or even agree with anything that appears in Office Jotter or an Office Memo. Of course, the rest of us will never know this unless you write in with your views, so please comment, in the blog or with an Office Memo*.
Content from Office Jotter or Office Memo may be circulated freely, so long as you remember to credit its source.
Thanks,
Publisher and editor

*No more than 1,000 words at a time, please. I edit material for publication but as lightly as possible.
Copyright Roger Whitehead, 2005. I hereby assert and give notice of my right under section 77 of the Copyright, Designs and Patents Act 1998 to be identified as the author of these publications.