During a recent security assessment RedZone asked the customer a standard question about password management:
“Are your passwords being changed on this outsourced web server?”
With Heartbleed, WordPress, and SSL vulnerabilities, an assessor must ask this question. The customer was insistent that the passwords are being changed frequently. That same day the customer received notification from the FBI that their site was hacked, and was being used as spam relay. Vast quantities of data were being hoisted from their site. Why? Because they had not recently changed their passwords. They had made the process of guessing the password easy. The attacker literally had to do nothing except guess a password.
In this age of CLOUD you need to look closely at companies “hyping” their cloud service. You will find that they are simply traditional “HOSTED” services, covered in a marketing wrapper called “CLOUD”.
- Don’t assume that your cloud/hosting provider is rotating passwords
- Look at your contract
- Ask your provider to prove it
Simple suggestions, but Do It!
Have someone on your team ask them to provide a report; a good old-fashioned report that proves the rotation of passwords?
You can’t abdicate password change responsibility to an outsourcer or your staff. Not entirely.
You are the governor, and you must govern.
The person you ask to provide you the report will be stunned with the request. However, have them go into the system and print out a report validating that admin passwords are being rotated. Better yet, get the printed report and an automated tool to force these changes for you. If you want a really cool password change, look at THYCOTIC.
You may laugh, but password change management is like plumbing.
Everyone loves when plumbing works. However, as soon as the toilet overflows, there is hell to pay.
I think that blockchain technologies like Ethereum will change password management capabilities in the future. The amount of connected systems that you have on premises and off premises is making it too hard for human beings to manage. Even with automated systems it is still a challenge.
I love that Blockchain is capable of revolutionizing password management across the world. We may not be 100% there yet, but it is happening. Blockchain, in the words of Daniel Burrus, would be considered a hard trend: “a projection based on measurable, tangible, and fully predictable facts… a future fact that cannot be changed.” Get ready!
Read a great article about 12 Companies Leveraging Blockchain for Identification and Authentication now.
Reduce the Ceiling of IT Security Complexity with the CIO Security Scoreboard. Learn more here
About Bill Murphy
Bill Murphy is a world renowned IT Security Expert, dedicated to your success as an IT business leader. Follow Bill on LinkedIn and Twitter.