Are Your IT Pros Abusing Admin Passwords?

[InfoSec News <alerts () infosecnews org>]

http://www.informationweek.com/news/security/vulnerabilities/231901118

By Mathew J. Schwartz
InformationWeek
October 19, 2011

One in four IT professionals say they know of at least one IT co-worker 
at their business who's used privileged login credentials to 
inappropriately access sensitive information. Furthermore, 42% report 
that IT staff freely share passwords and access to multiple business 
systems and applications.

Those findings come from a survey of 300 IT professionals--two-thirds of 
them working for businesses with 10,000 or more employees--recently 
conducted by Lieberman Software, which sells privileged identity 
management software.

When it comes to securing systems, experts recommend using long, random 
passwords that mix character types (uppercase and lowercase letters, 
symbols, and numbers), never reusing a password, and changing passwords 
with some frequency. But many end users fail to follow those 
recommendations unless faced with systems that automatically enforce 
password rules.

Interestingly, the survey found that the same holds true for many 
businesses' IT departments. In particular, 25% of survey respondents 
said that at least some of the superuser passwords that grant all-access 
rights to hardware, applications, or databases were less complex than 
the business' end-user password policies required. Furthermore, since 
many of these superuser passwords were shared freely between employees, 
spotting inappropriate, administrator-level access to sensitive data and 
tracing it back to the person responsible would be difficult.

[...]


_____________________________________________________
Subscribe to InfoSec News - www.infosecnews.org
http://www.infosecnews.org/mailman/listinfo/isn