Edward Snowden, a former contractor with the National Security Agency, convinced up to two dozen NSA employees to part with their passwords, saying he needed the credentials to do his job, according to a Nov. 8 report by Reuters citing unnamed federal investigators.
If the allegations are true, it would be a serious violation of security practices, but one that is all too common within enterprises of every description. More than half of businesses allow password sharing among approved users, according to a report released in May by CyberArk, a security firm that specializes in protecting and managing the accounts of privileged users.
Yet sharing a password with others can allow impersonation, making the investigation of security incidents a nightmare, John Worrell, chief marketing officer for CyberArk, told eWEEK.
"One of the constants of security has been that you don't share credentials," he said. "The reason is that all the access control is based on identity, so if the credential is wrong, the identity is wrong, and the access control is useless, and as Snowden has shown, the result can be disastrous."
Snowden, a former employee of NSA contractor Booz Allen Hamilton, leaked documents starting in June on the mass data-collection and surveillance activities of the intelligence agencies of the United States and its allies. He is currently in Russia, after being granted "temporary" asylum by the Russian government in August.
No matter the opinion about Snowden, the incident demonstrates why companies that want to harden their businesses against rogue insiders need to enforce policies prohibiting the sharing of user credentials. Privileged accounts should be more closely guarded, because an attacker with access to privileged credentials can do far more damage, according to CyberArk. On average, companies have between three and four privileged accounts for every employee, CyberArk's data shows.
When an attacker is able to obtain privileged-account access, they can appear to be an insider, giving them the ability to do far more damage and access far more sensitive information than normal. In some of the most serious recent attacks, such as the breach of RSA Security and digital attack on Saudi Aramco, for example, the attacker used an employee's credentials to expand their initial compromise of the victim's network. Incident response firm Mandiant has found that sophisticated attackers, known as advanced persistent threats (APTs), make it a priority to get legitimate credentials inside a victim's network.
"Once an APT intruder has a foothold inside the network and a set of legitimate credentials, it is simple for the intruder to move around the network undetected," Mandiant stated in its APT1 report released in February. "These actions are hard to detect because legitimate system administrators also use these techniques to perform actions around the network."
Companies should implement proactive controls to make sure that each credential is only used by a single employee, monitor the access to all critical resources and use analysis to detect any violations, said CyberArk's Worrell.
"The combination of proactive protection with real-time continuous monitoring, and the detection capability, are really what is needed to protect these accounts," he said.