CA Community






This Blog
Syndication

Lessons Learned from Rogue Privileged User Trial

Published: December 16 2009, 11:40 AM
by Chris Wraight

This week the trial opened against a former city network engineer accused of hijacking the city's computer network by withholding the passwords and subsequently any access to the system (he was the only one with the passwords). Whether the engineer is found guilty of a crime in this case remains to be seen, but there are several lessons learned from this incident:

  • There should never be a single privileged user to have sole control over all the admin passwords.  The potential for abuse of this authority (as seen here) or for a privileged user to make a mistake is always a possibility.
  • Passwords need to be securely managed. This can range from one-time use passwords, on-demand, and ‘break glass' scenarios.  Password use also must be audited and time limits placed on their use.
  • It's important to segregate privileged users' duties and securely protect the recording of their activities. Privileged users should have the access they need to do their job. However, that does not include access to log data where they have been monitored and certainly not the ability to modify it.
  • Although not a lesson from this instance, regulatory requirements have put access management technologies - particularly as it relates to privileged users - at the forefront of security and compliance professionals' radar. Demonstrating control of privileged users in advance of an incident is a significant regulatory requirement for PCI, ISO27001, and SOX.
Share this post:  
Tags: , , ,
Leave a comment

 

By: Chris Wraight
Chris Wraight has spent 25+ years in the technology world in various positions of product management, marketing and sales. He is currently working on CA Inc.'s Access Control security product in its Security Management business. Chris has a B.S. in Management with Computer Applications from WPI.
Read More..

Comments:

No Comments

Leave a Comment

* An asterisk indicates a required field

* :  

:

* :  

 Submit