RealTime IT News

Passwords Are a Hidden PCI-Compliance Danger

PCI Compliance

While corporations are struggling with PCI compliance after PCI 6.6 became mandatory June 30, they may be overlooking one of the most critical areas for compliance -- passwords.

Generally, enterprises do not revoke passwords when their owners move to other departments within the company or leave, resulting in orphaned accounts.

But user and system administrator passwords are just the tip of the iceberg -- literally thousands of other passwords are hidden from view, such as application-to-application passwords, passwords embedded in applications and the passwords every device on a corporate network comes with.

The last category includes laptops, desktops, appliances, routers, bridges and just any other device you can think of.

"If you don't change the default passwords applications and devices are shipped with, you could fail your PCI audit, because these are freely available online," Robert Grapes, chief technologist of Cloakware's data center solutions, told InternetNews.com.

"There's more than 3,000 vendors and products listed with the default passwords on the Internet; very few people go through their devices or operating systems and change the passwords," he added.

Identities and passwords that have been hard-coded into applications or servers are the most difficult to revoke or change, and are often ignored because of this.

"I talked to one company who had not changed passwords on particular systems of theirs for 17 years," Grapes said.

Passwords on applications and devices, and administrator passwords, are privileged accounts, meaning they have more permissions and rights than the average end user. Such accounts constitute one of the biggest potentials for enterprise security breaches.

"There are many times the number of privileged accounts operating on your network than there are end user accounts," Grapes said.

For example, in an enterprise with, say, 1,000 end users running on Windows, every laptop, desktop and server will have a local administrator account and service accounts that are not being managed, according to Grapes.

Then there are all the back-end applications running on other systems, such as Unix servers, blades and mainframes, the network management systems, the database accounts, each of which will have multiple privileged accounts.

The proliferation of privileged accounts is so great that "we recently completed a transaction with a large European bank with 80,000 employees, and they bought a contract for 525,000 accounts," Grapes said.

It's impossible to root out all the passwords and change them individually to comply with the PCI regulations, and Grapes said automation is the best solution.

The PCI regulations' password requirements proved a "major, major pain" for the large U.S. retail chain where Joey Peloquin used to work.

"We had more than 160,000 users, and automation was the only way we could solve the problem," Peloquin, now a senior security consultant in HP software professional services' application security division, told InternetNews.com.

His former employer selected a product from Cyber-Ark called the Enterprise Password Vault; Cloakware also offers a solution, called the Cloakware Server Password Manager.

Some enterprises let systems administrators share identities and passwords to contain password sprawl, but that generates problems of its own.

"If you have 10 administrators sharing a password and ID, how can you audit and trace who performed a particular function on that system?" Grapes asked.

Such tracking information is crucial to passing an audit.

The cost of failure can be high. When Peloquin's former employer failed a PCI audit, "we lost millions of dollars on the day we failed just through the increased commissions we had to pay," he said.