IT Security Pros Admit They Can Use Old Credentials to Access Former Employer Systems

By Peter Bernstein May 28, 2014

Tonight is the night that NBC will air an exclusive interview done in Moscow recently by anchor Brian Williams with NSA leaker Edward Snowden. The reason to mention this is that it provides interesting context for the new “Information Security Survey 2014” from identity management solutions provider Lieberman Software on the subject of the use/abuse of credentials. Especially in the wake of all of the headlines about commercial security breaches on top of the NSA scandal, the survey results are a bit disturbing. The deadline that 13 percent of IT security pros say they can still access the systems of former employers using old credentials should be a major wake-up call.

Time to take stock and take action

The Lieberman survey was conducted at the recent RSA IT security conference. Through personal interviews conducted at the event it looked at the attitudes of more than 270 IT professionals, of who over 55 percent work in an organization with at least 1,000 employees, toward password management and cloud security.

If you found the headline number upsetting, a little more granularity from the interviews is not going to make you feel better.  Survey results included:

  • Of those who can still access their former employers’ systems, nearly 23 percent can get into their previous two employers’ systems using old credentials.
  • More than 16 percent admit to still having access to systems at all previous employers.

In response to these findings, Philip Lieberman, CEO and President of Lieberman Software, said “The results of this research shows that a fundamental lack of IT security awareness in enterprises, particularly in the arena of controlling privileged logins, is potentially paving the way for a further wave of data breaches. Organizations must implement a policy where privileged account passwords are automatically updated on a frequent basis, with unique and complex values. That way, when an employee does leave the company, he or she is not taking the password secrets that can gain access to highly sensitive systems.”

Other findings from the survey also contain some valuable nuggets as food for thought:

  • 84 percent of organizations have a policy to ensure contractors cannot access corporate systems after they leave the company; however, more than 16 percent of respondents admit that their organization either does not have such a policy, or they are not aware of one.
  • Almost 1 out of 4 respondents work in organizations that do not change their service and process account passwords within the 90 day time frame commonly cited as best practice by most regulatory compliance mandates.
  • An overwhelming 80 percent of respondents choose to keep their organization's most sensitive data on their own network, rather than the cloud.
  • Nearly 3 out of 4 of those surveyed say that the cloud applications their users download cause security headaches.

“Companies and government agencies should not take such a lax approach to password management, especially given the attention that the Edward Snowden NSA scandal has received,” Lieberman continued. “Basic security best practices include minimizing the insider threat and sophisticated criminal hackers by managing the powerful privileged passwords that grant access to systems containing sensitive data.”

At this point it should be common sense that changing passwords is essential. Having had to change my personal ones recently because of the Heartbleed Bug, shopping at Target and having a PayPal account, the fact that so many companies have not shored up defenses in terms of such as simple thing as making sure former employees can’t use their old credentials to cruise around and possibly cause mischief is in a word, “mystifying.”  It is hard to believe that it is roughly a year since Snowden first started his leaking activities, it is equally as hard to believe that the response needing greater safeguards as to who has access to corporate networks and systems seems to be so slow.   




Edited by Maurice Nagle
SHARE THIS ARTICLE
Related Articles

US Seventh Circuit Court of Appeals Validates Class Action Suit Over Data Breach

By: Peter Bernstein    7/27/2015

Since what follows is about legal matters, let me start with the disclosure that I am not a lawyer, have no legal training and this is not an attempt …

Read More

The Do's and Don'ts of Viral Content Promotion

By: Drew Hendricks    7/27/2015

Viral content promotion is the word we use to describe content that just simply takes off on its own. It creates a brand out of nothing and can quickl…

Read More

Windows 10: Z Generation is When Everything Will Change.

By: Rob Enderle    7/24/2015

I started looking at the new Windows 10 ads and it got me thinking about how much change we will have seen that the next generation of Windows users w…

Read More

AT&T-DirecTV Merger May Benefit Consumers in a Big Way

By: Tara Seals    7/24/2015

The FCC is about to approve a $49 billion merger between AT&T and DirecTV, the No. 1 US satellite TV provider, and if the conditions that the commissi…

Read More

AT&T, House of Cards and Net Neutrality

By: Doug Mohney    7/22/2015

The Federal Communications Commission (FCC) is green lighting AT&T's $49 billion takeover of DirecTV, in exchange for promises to abide by stricter Ne…

Read More