One in three IT administrators say that they or one of their colleagues have used top-level admin passwords to pry into confidential or sensitive information at their workplaces, according to a survey by a password-management vendor.
Nearly half of the respondents also confessed that they have poked around systems for information not relevant to their jobs.
“We asked these questions last year, too, and we got similar results,” said Adam Bosnian, vice president of product strategy and sales at Cyber-Ark Software Inc., a Newton, Mass.-based maker of password file security management software.
“So on one hand, the results weren’t surprising. What was surprising initially – and this time around, too – is that people admit to it.”
Last month, Cyber-Ark polled approximately 300 senior IT professionals at a London security conference and trade show, asking them a dozen questions about their password practices.
The survey looked at the use of privileged or administrative (super-user) passwords that exist within most computer systems or software applications.
The majority of those surveyed said they work for companies with more than 1,000 employees.
The fact that one-third acknowledged they had abused an admin password to access out-of-bounds information shouldn’t surprise anyone, said Bosnian.
“Everyone thinks that IT administrators are the trusted ones, and it’s all the rest that we need to worry about. But admin passwords not only give administrators a lot of power, they also provide a lot of anonymity.”
That combination is too tempting for some to fight, and that would explain the high number of respondents who said that they had poked into places they didn’t belong, Bosnian added.
“People think, ‘I feel a little bit safer’ when they’re using an admin password. There could be hundreds of people with access to that password.”
Cyber-Ark’s survey also asked IT workers to select three things they would try to take with them if they were told they would be fired the next day. The top two vote-getters: the customer database (35 per cent) and a list of all privileged passwords (31 per cent).
“That’s not really surprising either, is it?” said Bosnian. “The customer database is one of the company’s most valuable assets.”
The poll also revealed behavior that wouldn’t make any security best practices lists. Almost one-third – 28 per cent – of the IT professionals polled said that they had written privileged passwords on paper, while nearly one in 10 admitted that they never changed critical passwords.
Confidential data accessed by tech professionals with their admin passwords include colleagues’ salary details, personal e-mails or board-meeting minutes, the survey revealed.
As many as 47 per cent of those polled said they had accessed information that was not relevant to their role.
“All you need is access to the right passwords or privileged accounts and you’re privy to everything that’s going on within your company,” Mark Fullbrook, Cyber-Ark’s UK director, said in a statement released with the survey results.
“For most people, administrative passwords are a seemingly innocuous tool used by the IT department to update or amend systems. To those ‘in the know’ they are the keys to the kingdom,” he added.
Cyber-Ark said privileged passwords get changed far less frequently than user passwords, with 30 per cent being changed every quarter and 9 per cent never changed at all, meaning that IT staff who have left an organisation could still gain access.
It added that seven out of 10 companies rely on outdated and insecure methods to exchange sensitive data, with 35 per cent choosing email and 35 per cent using couriers, while 4 per cent still relied on the postal system.
Cyber-Ark that markets products used to manage, log and update privileged passwords, is perceived as having a vested interest in highlighting the threat from weak password security.
But observers note that self-interest doesn’t necessarily invalidate the survey’s findings.
The firm has noted that changing administrative passwords is still a labour-intensive process that is too much of a chore for many firms to bother with.
Cyber-Ark’s latest poll reiterates an issue that the company has focused on in previous suveys.
For instance, a similar 2006 survey, had revealed that privileged passwords are more powerful but less likely to be changed, a factor that exposes enterprises to a heightened risk of hacker attacks.
That survey showed privileged routers are never changed in 13 per cent of cases and computer passwords are even less likely to be changed. Local workstation privileged passwords are never changed in 21 per cent of cases, servers (13 per cent) and enterprise software app admin passwords (42 per cent) are also never altered.
Bosnian noted that privileged passwords come pre-loaded onto virtually every piece of hardware and software in an enterprise. “Simply put, these super-user passwords are the keys to your kingdom, and yet they are often left unguarded.”
Some questions, however, have been raised about the validity of the latest CyberArk survey results.
For instance an IT security expert has pointed out that ambiguity in the “snooping” questions may have skewed the results.
The question is whether administrators in accessing this information are “prying” or just doing their jobs.
Experts note that as part of their roles, IT administrators may need to access confidential data on a variety of media – including e-mail messages. As admins may be required to ensure that compliance requirements are met – such access might be a crucial part of their job, it’s been pointed out.
With files from Joaquim P. Menezes
