When Edward Snowden, the former NSA Contractor started disclosing the classified details of several top secret surveillance programs of the US intelligence agencies during June this year, all were wondering how he gained access to those highly confidential information.
Five months later, an exclusive report in the Reuters now reveals that Snowden has used perhaps the easiest possible way to gain unauthorized access to the secrets. Misusing his position as a system administrator, he had reportedly persuaded nearly 20 of his colleagues to share their login credentials with him in the pretext of doing his job. They had unwittingly provided him the credentials, which led to the worst breach of information security in NSA’s history. They thought they were giving out the credentials to a trusted insider unaware of Snowden’s real intent.
This report reminded me of a funny campaign titled “Passwords are like underwear” ran by the Information Technology Central Services at the University of Michigan a few years back to create awareness on protecting passwords.
True, passwords are like underwear – obviously not meant to be shared with others. Unfortunately, practical needs are mostly the opposite. Business requirements demand selective sharing of passwords with others. In most of the organizations, users often tend to reveal administrative passwords of sensitive IT resources to their colleagues for some reason or other.
The most common reason for such an ‘unofficial share’ is to cater to an emergency on one’s absence such as an IT Manager revealing the password to a senior member when he has gone on vacation.
Developers, help desk technicians and some third party vendors / contractors who require access to privileged passwords purely on a temporary basis are supplied with the required passwords mostly orally or through emails. There is no process to revoke the temporary access and reset the password after the usage, which leaves a big security hole. When passwords are not kept secret and freely revealed to others, the very purpose of having an authentication mechanism to grant access to the resources is defeated.
Whether it is official or casual, sharing of privileged passwords in enterprises could have disastrous repercussions on the security of the enterprise. Mismanagement of administrative passwords leads to information theft, manipulations and sabotage without a trace.
Though the security and operational problems caused by password sharing are so obvious, no organization can truly eliminate sharing altogether. Thus, organizations find themselves in a catch-22 situation!
A Safe Way to Share
Organizations should put in place automated solutions that help safely share passwords with peers on need basis. IT policy on password usage should be strictly enforced. Solutions like Zoho Vault help securely store passwords in a centralized vault and provide access through a web-interface. Access controls are well-defined – users will be allowed to retrieve only those passwords that are allotted to them; NOT all passwords of the enterprise.
Passwords should have well-defined ownership – the owner alone should have absolute privilege on the passwords. Unless the owner shares the passwords, no other user will be permitted to view the passwords. The owner can share the passwords with others granting granular permission levels such as retrieve passwords without viewing them in plain-text, view only, view & modify etc.
When a user views a shared password, audit trails should be generated. Email notifications / alerts should also be sent to the owner of the password or to the IT Head when the passwords of sensitive resources are accessed. At any point, administrators should be able to get a clear picture on ‘who’ is having access to ‘what’ passwords and be in total control.
Enterprise class password management solutions offer advanced features that facilitate real-time, continuous monitoring of activities. When a password is shared with a user, he/she will be allowed to launch a direct connection with the resource. All activities done by the user during the privileged sessions will be video-recorded and archived for forensic audits. When a need arises to share the password of a sensitive IT resource with a trusted insider, the video recording will help verify what was actually done.
In addition, retrieval of sensitive passwords should go through a request-release workflow. When a user wants to view a shared password, he/she should first raise a request. Upon approval by the owner / administrator, the user will get time-limited, temporary access to the password. At the end of the usage period, the permission should be revoked and the password should be automatically reset.
Normally, cyber incidents do not take place suddenly or on a single day; they are the result of meticulous planning for several months. The password management solutions can send alerts on password access to Security Information and Event Management (SIEM) solutions, which help correlate the events from related resources and easily trace the attacks waiting to happen.
In this case, if passwords had been shared with Snowden officially through an automated password management solution, the abnormal behavior in accessing sensitive IT resources could have been easily identified.
Snowden episode should serve as an eye opener for all IT divisions – big and small. Organizations should streamline password management practices, bolster internal controls and audits. Otherwise, this kind of breach can happen anytime.