Stephane Fymat, Passlogix: Avoiding a ‘Keys to the Kingdom’ attack without compromising security
November 2008 by Stephane Fymat, VP of Business Development and Strategy at Passlogix
In Europe, very few people have heard of Terry Childs. In California, everyone has. Childs is the City of San Francisco’s disgruntled network manager who reset all administrative passwords to the routers for the city’s FibreWAN network and held the city administration to ransom. He refused to hand over the passwords which effectively gave him complete control of the network, locking out all other employees and preventing anyone else from administrating it.
As legal teams try to get to the bottom of how Childs was able to gain so much control, IT managers around the world are working out how to prevent the same thing happening to them.
The complexity of corporate IT systems requires users to memorise more and more passwords: surveys have found that 36 per cent of users have between six and 15 passwords to remember; a further 18 per cent have more than 15 unique identifiers to memorise. Research from Burton Group, suggests that the average user can spend up to 15 minutes every day logging on to separate application – which adds up to 65 weekday hours spent entering user IDs and passwords each year.
Almost everyone has personally experienced password frustration: the inability to remember the details for an important application when they needed it and the delay in getting the password reset by the IT help desk. Gartner estimates that 25 to 35 per cent of calls made to IT helpdesks are password related at an estimated cost of around £15 - £20 a call, adding millions to the support bill at larger companies.
Aside from lost productivity, the excessive administrative overhead and the user frustration, passwords can actually present a significant security risk. In an effort to jog their memories, users will often create passwords that are easy-to-figure out - such as derivatives of names and birthdays - making it all-too-easy for hackers to gain access to enterprise applications and data.
Concerns about ineffective password systems and lax password security that enables unauthorised users to breach enterprise networks have caused corporate regulators to take a tougher stance on password security. The Sarbanes Oxley Act for example, includes specific clauses on password security. Nonetheless, there are people, including Bill Gates, who question their benefit and long term future.
But the problem doesn’t lie with passwords themselves – it’s how they are managed and the lack of best practice in how they are deployed. The latest generation of enterprise single sign-on technologies (ESSO) overcomes the inherent weaknesses of passwords. ESSO eliminates the need to remember - and therefore the risk of forgetting - and is the most effective antidote to the problem of password overload.
ESSO enables users to sign in once with a single password and access all their applications, databases and systems. They no longer need to remember or enter individual passwords for all those applications, so they gain immediate access to corporate information in a more secure, controlled environment. ESSO automates the process of password entry by responding to each log-in prompt without user intervention. New passwords can be automatically generated when old ones expire, and the user ID and password for every application can be stored in a secure central repository.
Quite aside from the very quantifiable savings that can be made in help-desk costs, the benefits of ESSO to the enterprise include simplified administration, improved enterprise security and greater user productivity, all while retaining the ability to achieve compliance with regulations on data protection, privacy and corporate governance.
So why isn’t it more widely used?
ESSO has often been seen as too costly and labour intensive to ever be truly attainable. But the latest advancements in the technology mean that its time may finally have come.
Traditionally, one of the biggest criticisms of ESSO has been that it makes an organisation vulnerable to a single point of attack. The reality is that ESSO provides a higher degree of security. There is no user involvement so password quality rules can be more easily enforced, for example. Password length and complexity and the frequency at which they are changed can be greatly increased making them much more difficult for a hacker to decipher. Since users don’t need to remember each password, unique, complex alpha-numeric combinations of any length, case or format can be created for each application, database or account log-in. Mathematicians have proved that if the length of a password is increased from 8 to just 9 characters, the time to crack the password is increased to 447 years.
Even in the unlikely event of a hacker cracking the password, they would still need access to a work¬station with ESSO software on it, or alternatively install software on a workstation themselves. Even then it would require specific knowledge about how to install and configure the ESSO software with the target organisation’s directory.
But the problems associated with passwords aren’t limited to the fallibility of users’ memories and the determination of hackers. The Childs incident illustrated another problem that has passed under the radar at most companies, who place an enormous amount of trust in their IT staff and system administrators. There was only one administrative account on many systems at San Francisco. Childs had open access to system passwords, and so was able to change them without authorisation and lock out his colleagues. It’s not an uncommon scenario – but it is an unavoidable and unnecessary one.
The most advanced ESSO software now includes shared and privileged user management capabilities. This enables all administrative passwords to be encrypted and stored in the enterprise’s central directory. Administrators must check out a password from the directory in order to use it - and can be approved or denied based upon the administrator’s role and manager’s approval within an identity management system. If approved, the software will log the administrator on to the network device and check the password back in automatically – the administrator never knows the password.
The software will also keep a history of passwords for each network device. So if network devices must be restored from backup, the then-current password can be retrieved. Had this system of shared management capability been in place at the City of San Francisco, Childs would never have been able to hold the City administration to ransom in the way that he did.
The lesson from San Francisco is that an effective alternative to basic password systems, is needed which offers much greater control and security around access to enterprise networks. The number of application passwords that must be managed in many enterprises today is untenable, undesirable and unsafe. The bottom line is simple: passwords no longer provide adequate protection. ESSO is a proven solution that removes the burden from both end users and administrators, and simultaneously hardens the network against attack through strengthened password policies.
The Childs incident highlights the need for greater control over administrative passwords – and the role that ESSO can play in protecting organisations against sabotage by insiders. If we are to avoid a repeat of what happened in San Francisco, widespread adoption of ESSO with shared and privileged user management needs to be seriously considered.