Another problem is the fact that privileged passwords are often shared among multiple staff who might need access to the same system for various reasons. "When you are talking about a shared password you might not even know who has access to the password [over time]," said Boaz Gelbord, executive director of information security at Wireless Generation Inc., a technology services provider to the educational market.
Because such passwords are shared by people across multiple functional groups, they are seldom changed and, over time, end up being used by numerous individuals.
Many companies are still failing to adequately log and audit the use of such shared passwords to gain access to critical systems, Gelbord said. "There is a fundamental difference between a regular password and a shared password," he said.
While companies have fairly mature processes for forcing changes for regular passwords, few have the same processes for privileged passwords, he said.
More tools are becoming available to companies to help better manage privileged access accounts. Though such tools can do little to stop a really determined insider from abusing his or her privileged access, they do make it harder, Gelbord said.
His company is using a password management tool from Cyber-Ark Inc. to centralize privileged user accounts, apply policies to them, as well as log and audit their use.
"I think the real benefit of having such tools is not so much about preventing a particular person from hitting a particular system," Gelbord said. Rather it's more about instituting a process for controlling access to privileged accounts, he said. "You want to know exactly who has access to your critical systems at all times".
Cyber-Ark's products are designed to help companies centralize and securely manage privileged accounts, and can be used to automatically change passwords, as well as audit and log use.
The technology can be used to enforce privileged account policies on Unix/Linux, Windows, Cisco, Oracle, SAP, and other environments. The company is one among a handful of others, including Symark International Inc. and e-DMZ, to offer tools designed to help companies better manage privileged accounts.
While such tools can be useful, it's vital that companies monitor the alerts generated by them, and sift through the false-positives, Cortes said.
Security managers need to do a daily audit and control report looking at all of those who have access to critical systems and ensuring that they have them for a legitimate reason, she said.
"I wouldn't expect to see more than one or two names for any application," Cortes said. "When you start to see the number grow, it's time to look into the matter."