38% OF PAYMENT CARD BREACHES WERE DUE TO ABUSE OF ACCESS PRIVILEGES AND GUESSABLE CREDENTIALS: STUDY

PCI and RISK Intelligence teams of Verizon have recently published a report titled "Verizon 2010 Payment Card Industry Compliance Report'. The report is the result of detailed analysis of nearly 200 PCI assessments done by Verizon Qualified Security Assessors (QSAs) during 2008 and 2009. The sample for the analysis included a mix of organizations of various types.

The report lists out top threat actions based on 2008-2009 payment card breaches investigated by Verizon IR team. Of the ten threat actions, exploitation of default or guessable credentials and abuse of system access/privileges are found to be the cause for 38 % of the breaches.

Time and again, we have been highlighting in this column two very important facts:
the security threats caused by the insiders of the enterprises - either disgruntled staff or greedy techies or sacked employees
stolen identities, default credentials, guessable passwords could be serving as the ‘hacking channel’ for many cyber-crimes
The Verizon study once again lends credence to the belief that Improper management of the administrative passwords and lack of effective internal controls often remain at the root of a good number of security threats.

What is the way out?

One of the effective ways to achieve internal controls is to deploy a Privileged Password Management Solution that could replace manual processes and help achieve highest level of security for the data.

Though the reality is that it is not possible to prevent/avoid all security incidents, the ones hat happen due to lack of effective internal controls are indeed preventable.

Password Manager Pro, a trusted solution precisely helps achieve this. A secure vault for storing and managing shared administrative passwords and digital identities, Password Manager Pro helps eliminate password fatigue and security lapses, achieve preventive and detective security controls, meet security audits and improve IT productivity.

With insider threats looming large, taking preventive action is the need of the hour. Use Password Manager Pro and Stay Secure!

Complete details of the Verizon 2010 Payment Card Industry Compliance Report: http://www.verizonbusiness.com/resources/reports/rp_2010-payment-card-industry-compliance-report_en_xg.pdf

Bala

How to combat increasing cyber security threats?

Of late, cyber-criminal activities across the globe have assumed such grave proportions that all enterprises - big and small, are exposed to security breaches and identity thefts of various kinds. Many sabotage were found to have been caused by the insiders of the enterprises - either disgruntled staff or greedy techies or sacked employees.

Lack of well-defined internal controls and access restrictions generally pave the way for security incidents. Particularly, as stolen identities seem to have served as the ‘hacking channel’ for many cyber-crimes, improper management of the administrative passwords is believed to be at the root of a good number of security threats.

Security experts strongly believe that many security incidents (though not all) are actually avoidable by placing access restrictions and well-defined password policies.

How can we combat the threats?

Read my article on 'Combating Cyber Security Threats' in Express Computer (Nov 23rd issue):

http://www.expresscomputeronline.com/20091123/technology04.shtml

Bala

How do you manage website passwords?

Nowadays, even for personal needs, we are largely dependent on online services. At the enterprise level, it becomes much more complex.

Just reflect on the following questions:

• Do you face problems in remembering the credentials of website login accounts?
• Do you have a large number of web accounts and wish to automatically login to the sites without manually entering the user name and password?

If the answer to the above questions are 'yes', you must take the services of a password manager. ManageEngine Password Manager Pro is there to help you!

By simply storing the URL of the web page and the login credentials, you can launch direct connection to the required website from Password Manager Pro. That is, the URL of the website would be visible in Password Manager Pro and upon clicking that you will be logged in to the website directly.

There is a step-by-step tutorial on how to implement this feature. Along with the textual explanation, the tutorial contains a two-minute video presentation at the end. Don’t forget to check that out too!

Bala

Have you ever revealed your administrative passwords to your colleagues?

Have you ever revealed the administrative password of an enterprise resource to your colleague? And do you strongly believe that your passwords remain secure even after telling others? If so, you must read this interesting survey done by SecurEnvoy.

The survey results reveal that 75% of UK employees have admitted that they have told at least two other colleagues their corporate passwords.

SecurEnvoy states that while workers are trusting of their colleagues, it may not be a great idea to share passwords so easily since it can compromise one’s entire work life.

The concern raised in the survey is well-founded. Enterprises - big and small, face security issues and outages quite often. After all, mis-management of administrative passwords lies at the root of all security issues.

It is always good to avoid sharing of administrative passwords. But, what if your business needs demand that you seletively share passwords with others and yet ensure high levels of security? Caught in a catch-22 situation, right?

But take heart, you have ManageEngine Password Manager Pro for your rescue. Using this Enterprise Password Management Solution, you can store thousands of administrative passwords in a centralized repository and selectively share the passwords with others. You can have the trail of 'who', 'what' and 'when' of password access. The passwords are shared, yet remain highly secure. Exactly what you want!

To know more, visit ManageEngine Password Manager Pro

Bala

Enterprise Password Management

Passwords, passwords everywhere

We are living in the age of Information Technology and computers. Most of the things we get done by a click of a mouse.  At the personal level, we need to remember a lot of passwords - right from Email passwords, bank PIN numbers, logins for travel booking and so on.  If Samuel Taylor Coleridge were alive today, he would have probably rephrased his immortal lines "Water, water everywhere, ne any drop to drink" as "Passwords, passwords everywhere". 

At the Enterprise Level, the problem gets quite complex. There are servers, databases, switches, routers, firewalls and a whole lot of IT applications. Each application has its own 'administrative accounts', which are managed by IT and Network Administrators.

Administrators in enterprises follow their own way of managing their passwords. Some store the passwords in spreadsheets, some others in paper and so on. This naturally brings with it a security issues. Oflate, cyber-criminal activities across the globe have assumed such grave proportions that all organizations - big and small are exposed to security breaches and identity thefts.

Similarly, the threats by the insiders are becoming very high nowadays. When an administrator leaves the organization, he might be possessing a copy of the administrative passwords. If he he malicious intent, he might unleash a cyber-attack.

Administrative passwords give unlimited access to the users and if a hacker gets access to them, the very business of the enterprise would be in jeopardy. Effective and efficient password management alone is the solution to safeguard your IT resources.

There are quite a lot of enterprise password managers in the market. One such solution is ManageEngine Password Manager Pro from AdventNet. While offering all enterprise-class features, the solution is afforadle even to small enterprises. The pricing starts at US $ 495 ..

"Password Manager Pro is a trusted solution to securely store, access and administer shared administrative passwords. It enables IT managers to maintain a central repository of passwords, enforce standard password policies and control unauthorized user access to shared passwords. It also provides a complete record of 'who', 'what' and 'when' of password access," says the website of Password Manager Pro 

http://manageengine.adventnet.com/products/passwordmanagerpro/index.html

Take a look ... I will continue blogging about Password Management!