Privileged Account Security & Compliance Survey Report

Transcription

1 Privileged Account Security & Compliance Survey Report May 2013

2 Executive Summary Cyber-Ark s 2013 Privileged Account Security & Compliance Survey is the company s first global IT security survey focused on assessing how organizations are identifying, managing and securing privileged and administrative accounts. The survey report is the result of interviews with 236 IT security professionals and C-level (CIO, CSO, CISO) professionals across North America and EMEA. Privileged accounts have emerged as the primary target for advanced enterprise attacks and have been exploited to perpetrate some of the most devastating cyber-attacks and data breaches in recent memory including attacks occurring at Saudi Aramco, Global Payments, South Korea, U.S. Dept. of Energy, South Carolina Dept. of Revenue, and more. The category of privileged accounts consists of privileged and administrative accounts, default and hardcoded passwords, application backdoors, and more. These accounts act as a gateway to an organization s most sensitive data and are accessible across systems, applications and servers. The survey results reveal that the majority of organizations do in fact understand the power of these accounts and believe they re managing them as part of a risk and compliance policy. However, the data shows that most organizations are woefully unaware of the scope of the problem because they simply do not know how many privileged accounts exist in their organization or where to find them. According to the survey, 86 percent of large enterprises either do not know, or have grossly underestimated the magnitude of their privileged account security problem. Hundreds, and in some cases thousands, of privileged accounts sit unmanaged and unsecured within an organization providing cyber-attackers an open door to sensitive data such as intellectual property, personal information, financial records, health information, and more. In addition, the survey highlights that most organizations are using manual processes (such as spreadsheets) to manage their privileged accounts or including privileged account management as part of a broader Identity Management suite implementation. This approach to privileged account management fails to meet even the basics of privileged account security and leaves these organizations vulnerable against the latest attacks. Other points of note: 51 percent of organizations surveyed stated that privileged and administrative account passwords were shared among approved users. Industry best practice indicates that passwords for privileged accounts should never be shared, as it increases the risk of the password being used by unintended users and cannot provide accountability for security and audit/compliance. 53 percent of large enterprises (5,000+ employees) take 90 days or longer to change their privileged or admin passwords. (76 percent of large enterprises take 60 days or longer.) Given the nature of today s advanced threats, Cyber-Ark recommends that privileged account password changes should be automated and restricted to one-time use to ensure tight security standards. The first step in securing the enterprise is to identify all the vulnerabilities and backdoors that are open and susceptible to attack. The second step is to place automated controls on these accounts to ensure only the properly credentialed are gaining access, and that the accounts are not being used to carry out the latest advanced attack by cyber-attackers. The third step is to continually monitor and provide alerts on suspicious behavior. Cyber-Ark strongly recommends that privileged account management processes be automated to enforce controls, while providing a clear audit trail for accountability and security. As demonstrated by this survey, the industry has a long way to go before organizations can fully understand the scope and begin to address the privileged account security problem Cyber-Ark Software, Inc. All rights reserved 1.

3 Key Report Findings Identifying and Changing Default Passwords Default passwords are found on almost every hardware and software application developed. These accounts primarily provide the manufacturer with a backdoor for administration of the software/hardware. The abuse of default and hardcoded passwords by cyber attackers has led to some of the biggest data breaches in the past months. Identifying and changing default passwords is a critical step in securing the enterprise. 78 percent of all businesses surveyed said they have defined business processes in place for changing default passwords on hardware and software. 22% Yes, we have defined process in place No, we do not have a defined process in place 78% Figure 1 Does Your Organization Have a Defined Business Process in Place for Changing Default Passwords on Hardware and Software? These findings vary by company size. For small-to-medium-sized businesses (categorized as businesses between 1 and 5,000 employees), 73 percent of respondents have a defined process in place to identify and change default passwords. Among large enterprises (5,000 employees and above), 84 percent of respondents indicated that they have a defined process in place % 27% 16% 16% % 73% 84% Yes, we have defined process in place No, we do not have a defined process in place 3 SMBs (under 5,000 employees) Large Enterprises (5,000+ employees) Figure 2 Does Your Organization Have a Defined Business Process in Place for Changing Default Passwords on Hardware and Software? 2013 Cyber-Ark Software, Inc. All rights reserved 2.

4 Changing Privileged or Administrator Passwords Privileged accounts are an organization s most powerful access points and are the keys to unlocking a company s most valuable asset its data. Privileged accounts include domain passwords, local admin passwords, service accounts, and more. While 82 percent of businesses have processes in place to change these passwords, 49 percent take 90 days or longer to change passwords. Cyber-Ark recommends that privileged account password changes should be automated and restricted to one-time use to ensure tight security standards. 18% Yes No 82% Figure 3 Does your company have a process in place for changing privileged or admin passwords? 5 45 % 4 35 % 49% 3 25 % 25% 15 % 10% 16% 5 % Figure 4 Each time after its been used Monthly (every 30 days) Bi-Monthly (every 60 days) 90 Days or longer With what frequency do you change the privileged or admin passwords? 2013 Cyber-Ark Software, Inc. All rights reserved 3.

5 Large enterprises (84 percent) were more likely than SMBs (73 percent) to have defined business processes for changing privileged or administrator passwords % 16% % 84% Yes No 3 SMBs (under 5,000 employees) Large Enterprises (5,000+ employees) Figure 5 Does your company have a process in place for changing privileged or admin passwords? 53 percent of large enterprises take 90 days or longer to change their privileged or admin passwords. (76 percent of large enterprises take 60 days or longer.) 90 Days or longer 45% 53% Bi-Monthly (every 60 days) 23% 25% SMBs (1-5,000 employees) Monthly (every 30 days) 13% 21% Large Enterprises (5,000+ employees) Each time after its been used 11% 9% Figure 6 With what frequency do you change privileged or admin passwords? 2013 Cyber-Ark Software, Inc. All rights reserved 4.

6 Scoping the Privilege Account Security Problem Identifying and Counting Privileged Accounts Based on the examination of more than 1,200 customer deployments, Cyber-Ark determined that the number of privileged accounts in any organization is typically 3-4 times the number of employees. According to the survey, 86 percent of large enterprises either do not know, or have grossly underestimated the magnitude of their privileged account security problem (Figure 7). Amazingly, 30 percent of respondents from large enterprises believed they had between privileged accounts. For an organization with 5,000 employees, the number of privileged accounts would be at least 80 times higher than the estimate. 62% % 31% 3 15% 8% 10% 1% 4% 14% 14% 14% 11% ,000 1,001-5,000 5,000+ I don t know 1% SMBs (1-5,000 employees) Large Enterprises (5,000+ employees) Figure 7 In your estimation, how many privileged accounts are there in your organization? 2013 Cyber-Ark Software, Inc. All rights reserved 5.

7 Privileged Accounts Found in Any Device with a Microprocessor One of the primary reasons that organizations have a difficult time accounting for their privileged accounts is that they simply do not know where they exist. Privileged accounts consist of privileged and administrative accounts, default and hardcoded passwords, application backdoors and more. These accounts exist in every server, networked device, application, operating system and any device with a microprocessor. When asked to select each part of the enterprise IT infrastructure where privileged accounts exist, 63 percent of respondents correctly stated in every device/application (see Figure 8). This means that 37 percent of respondents do not know where to find privileged accounts. Figure 8 I believe privileged accounts are found in: % 3 26% 12% 12% 6% 6% 8% Enterprise PCs & Infrastructure Laptops -servers -switches -storage -security appliances Databases Network Devices -copiers Applications Operating Systems -phone systems -printers -fax All the above 2013 Cyber-Ark Software, Inc. All rights reserved 6.

8 Shared Vulnerabilities Half of Businesses Share Privileged Passwords Despite best practices recommending against sharing privileged user and administrative accounts, half of all businesses stated that they shared these accounts in their organization. Industry best practice indicates that passwords for privileged accounts should never be shared, as it increases the risk of the password being used by unintended users and cannot provide accountability for security and audit/compliance. 51% 49% Yes No Figure 9 Are privileged account passwords shared among approved users? The problem is more wide-spread among large enterprises, where 56 percent of respondents stated they shared privileged accounts, opposed to 47 percent of SMBs surveyed % 44% 7 6 Yes % 56% No SMBs (1-5,000 employees) Large Enterprises (5,000+ employees) Figure 10 Are privileged account passwords shared among approved users? 2013 Cyber-Ark Software, Inc. All rights reserved 7.

9 Understanding Privilege Risks Does Not Equate to Securing Them Unmanaged privileged and administrative accounts are one of the most common ways for an organization to fail compliance audits. According to the survey, 72 percent of organizations monitored or recorded privileged activity as part of their risk and compliance strategy. 28% Yes, we have defined process in place No, we do not have a defined process in place 72% Figure 11 Does your organization monitor or record privileged account activity as part of its risk/compliance strategy? Despite monitoring privileged account activity as part of their compliance strategy, only 18 percent of respondents use a privileged identity management solution to automate the process. This means that 82 percent of businesses are trying to harness thousands of critical vulnerabilities with manual processes, or solutions not designed to address the depth of the problem. This failure to address a known and growing issue is a leading contributor to some of the most devastating cyberattacks since Industry best practice is to implement a privileged account management solution to automate these processes, enforce controls, while providing a clear audit trail for accountability and security. 25 % 15 % 23% 25% 15% 8% 18% 10% 5 % 2% Manual/ Paperbased Homegrown software IAM -Oracle -CA -Etc. Privileged Identity Management Software SIEM -ArcSight -McAfee -Etc. DAM -Guardium -Imperva -Etc. Other Figure 12 How do you monitor or record privileged account activity? 2013 Cyber-Ark Software, Inc. All rights reserved 8.

10 About Cyber-Ark Cyber-Ark Software is a global information security company that specializes in protecting and managing privileged users, sessions, applications and sensitive information to improve compliance, productivity and protect organizations against insider threats and advanced external threats. With its award-winning Privileged Identity Management, Privileged Session Management and Sensitive Information Management Suites, organizations can more effectively manage and govern data center access and activities, whether on-premise, off-premise or in the cloud, while demonstrating returns on security investments. Cyber-Ark works with more than 1,200 customers, including more than 40 percent of the Fortune 100. Headquartered in Newton, Mass., Cyber-Ark has offices and authorized partners in North America, Europe and Asia Pacific. For more information, please visit Media Inquiries: Christy Lynch Cyber-Ark Software, Inc. Phone: christy.lynch@cyber-ark.com Brian Merrill fama PR (US) Phone: cyber-ark@famapr.com 2013 Cyber-Ark Software, Inc. All rights reserved 9.