Privileged Account Security & Compliance Survey ReportMay 2013

© 2013 Cyber-Ark Software, Inc. All rights reserved | www.cyber-ark.com

Executive SummaryCyber-Ark’s 2013 Privileged Account Security & Compliance Survey is the company’s first global IT security survey focused on assessing how organizations are identifying, managing and securing privileged and administrative accounts.

The survey report is the result of interviews with 236 IT security professionals and C-level (CIO, CSO, CISO) professionals across North America and EMEA.

Privileged accounts have emerged as the primary target for advanced enterprise attacks and have been exploited to perpetrate some of the most devastating cyber-attacks and data breaches in recent memory – including attacks occurring at Saudi Aramco, Global Payments, South Korea, U.S. Dept. of Energy, South Carolina Dept. of Revenue, and more. The category of ‘privileged accounts’ consists of privileged and administrative accounts, default and hardcoded passwords, application backdoors, and more. These accounts act as a gateway to an organization’s most sensitive data and are accessible across systems, applications and servers.

The survey results reveal that the majority of organizations do in fact understand the power of these accounts and believe they’re managing them as part of a risk and compliance policy. However, the data shows that most organizations are woefully unaware of the scope of the problem because they simply do not know how many privileged accounts exist in their organization or where to find them. According to the survey, 86 percent of large enterprises either do not know, or have grossly underestimated the magnitude of their privileged account security problem. Hundreds, and in some cases thousands, of privileged accounts sit unmanaged and unsecured within an organization – providing cyber-attackers an open door to sensitive data such as intellectual property, personal information, financial records, health information, and more.

In addition, the survey highlights that most organizations are using manual processes (such as spreadsheets) to manage their privileged accounts or including privileged account management as part of a broader Identity Management suite implementation. This approach to privileged account management fails to meet even the basics of privileged account security and leaves these organizations vulnerable against the latest attacks.

Other points of note: • 51 percent of organizations surveyed stated that privileged and administrative account passwords were shared among “approved” users. Industry best practice indicates that passwords for privileged accounts should never be shared, as it increases the risk of the password being used by unintended users and cannot provide accountability for security and audit/compliance.

• 53 percent of large enterprises (5,000+ employees) take 90 days or longer to change their privileged or admin passwords. (76 percent of large enterprises take 60 days or longer.) Given the nature of today’s advanced threats, Cyber-Ark recommends that privileged account password changes should be automated and restricted to one-time use to ensure tight security standards.

The first step in securing the enterprise is to identify all the vulnerabilities and backdoors that are open and susceptible to attack. The second step is to place automated controls on these accounts to ensure only the properly credentialed are gaining access, and that the accounts are not being used to carry out the latest advanced attack by cyber-attackers. The third step is to continually monitor and provide alerts on suspicious behavior. Cyber-Ark strongly recommends that privileged account management processes be automated to enforce controls, while providing a clear audit trail for accountability and security.

As demonstrated by this survey, the industry has a long way to go before organizations can fully understand the scope and begin to address the privileged account security problem.

1.

© 2013 Cyber-Ark Software, Inc. All rights reserved | www.cyber-ark.com

Default passwords are found on almost every hardware and software application developed. These accounts primarily provide the manufacturer with a backdoor for administration of the software/hardware. The abuse of default and hardcoded passwords by cyber attackers has led to some of the biggest data breaches in the past 12-18 months. Identifying and changing default passwords is a critical step in securing the enterprise. 78 percent of all businesses surveyed said they have defined business processes in place for changing default passwords on hardware and software.

These findings vary by company size. For small-to-medium-sized businesses (categorized as businesses between 1 and 5,000 employees), 73 percent of respondents have a defined process in place to identify and change default passwords. Among large enterprises (5,000 employees and above), 84 percent of respondents indicated that they have a defined process in place.

2.

Key Report FindingsIdentifying and Changing Default Passwords

Figure 1 Does Your Organization Have a Defined Business Process in Placefor Changing Default Passwords on Hardware and Software?

78%

22%

Yes, we have definedprocess in place

No, we do not have adefined process in place

Figure 2 Does Your Organization Have a Defined Business Process in Placefor Changing Default Passwords on Hardware and Software?

Yes, we have definedprocess in place

No, we do not have adefined process in place

73%84%

16%27%

SMBs(under 5,000 employees)

Large Enterprises(5,000+ employees)

16%

84%

27%

73%

10%

0%

20%

30%

40%

50%

60%

70%

80%

100%

90%

© 2013 Cyber-Ark Software, Inc. All rights reserved | www.cyber-ark.com 3.

Privileged accounts are an organization’s most powerful access points and are the keys to unlocking a company’s most valuable asset – its data. Privileged accounts include domain passwords, local admin passwords, service accounts, and more. While 82 percent of businesses have processes in place to change these passwords, 49 percent take 90 days or longer to change passwords. Cyber-Ark recommends that privileged account password changes should be automated and restricted to one-time use to ensure tight security standards.

Changing Privileged or Administrator Passwords

Figure 3 Does your company have a process in place for changing privileged or admin passwords?

82%

18%Yes

No

Figure 4 With what frequency do you change the privileged or admin passwords?

10%16%

25%

49%

5%

0%

10%

15%

20%

25%

30%

35%

40%

45%

50%

Each timeafter itsbeen used

Monthly(every 30 days)

Bi-Monthly(every 60 days)

90 Days or longer

10%0% 20% 30% 40% 50% 60%

9%

13%

23%25%

53%45%

21%

11%

© 2013 Cyber-Ark Software, Inc. All rights reserved | www.cyber-ark.com 4.

Large enterprises (84 percent) were more likely than SMBs (73 percent) to have defined business processes for changing privileged or administrator passwords.

53 percent of large enterprises take 90 days or longer to change their privileged or admin passwords.(76 percent of large enterprises take 60 days or longer.)

Figure 5 Does your company have a process in place for changing privileged or admin passwords?

Each time afterits been used

Monthly(every 30 days)

Bi-Monthly(every 60 days)

90 Daysor longer

Yes

No

Figure 6 With what frequency do you change privileged or admin passwords?

SMBs(under 5,000 employees)

Large Enterprises(5,000+ employees)

16%

84%

27%

73%

10%

0%

20%

30%

40%

50%

60%

70%

80%

100%

90%

SMBs(1- 5,000 employees)

Large Enterprises(5,000+ employees)

Based on the examination of more than 1,200 customer deployments, Cyber-Ark determined that the number of privileged accounts in any organization is typically 3-4 times the number of employees. According to the survey, 86 percent of large enterprises either do not know, or have grossly underestimated the magnitude of their privileged account security problem (Figure 7). Amazingly, 30 percent of respondents from large enterprises believed they had between 1-250 privileged accounts. For an organization with 5,000 employees, the number of privileged accounts would be at least 80 times higher than the estimate.

Figure 7 In your estimation, how many privileged accounts are there in your organization?

© 2013 Cyber-Ark Software, Inc. All rights reserved | www.cyber-ark.com 5.

Scoping the Privilege Account Security Problem – Identifying and Counting Privileged Accounts

0%

10%

20%

30%

40%

50%

60%

70%

15%

62%

30%

8%

1%4%

11%

31%

14% 14% 14%10%

1%

1-250 251-500 501-1,000 5,000+ I don’tknow

1,001-5,000

SMBs(1- 5,000 employees)

Large Enterprises(5,000+ employees)

26%

12% 12%6% 6% 8%

63%

0%

10%

20%

30%

40%

50%

60%

70%

One of the primary reasons that organizations have a difficult time accounting for their privileged accounts is that they simply do not know where they exist. Privileged accounts consist of privileged and administrative accounts, default and hardcoded passwords, application backdoors and more. These accounts exist in every server, networked device, application, operating system and any device with a microprocessor. When asked to select each part of the enterprise IT infrastructure where privileged accounts exist, 63 percent of respondents correctly stated in every device/application (see Figure 8). This means that 37 percent of respondents do not know where to find privileged accounts.

© 2013 Cyber-Ark Software, Inc. All rights reserved | www.cyber-ark.com 6.

Privileged Accounts – Found in Any Device with a Microprocessor

Figure 8 I believe privileged accounts are found in:

EnterpriseInfrastructure-servers-switches-storage-security appliances

NetworkDevices-copiers-phone systems-printers-fax

PCs &Laptops

Databases Applications OperatingSystems

All the above

© 2013 Cyber-Ark Software, Inc. All rights reserved | www.cyber-ark.com 7.

Despite best practices recommending against sharing privileged user and administrative accounts, half of all businesses stated that they shared these accounts in their organization. Industry best practice indicates that passwords for privileged accounts should never be shared, as it increases the risk of the password being used by unintended users and cannot provide accountability for security and audit/compliance.

The problem is more wide-spread among large enterprises, where 56 percent of respondents stated they shared privileged accounts, opposed to 47 percent of SMBs surveyed.

“Shared Vulnerabilities” – Half of Businesses Share Privileged Passwords

Figure 10 Are privileged account passwords shared among “approved” users?

Figure 9 Are privileged account passwords shared among “approved” users?

Yes

No

Yes

No

SMBs (1 - 5,000 employees) Large Enterprises (5,000+ employees)

51% 49%

10%

0%

20%

30%

40%

50%

60%

70%

80%

100%

90% 44%

56%

53%

47%

23%

15%

8%

18%

10%

2%

25%

0%

5%

10%

15%

20%

25%

© 2013 Cyber-Ark Software, Inc. All rights reserved | www.cyber-ark.com 8.

Unmanaged privileged and administrative accounts are one of the most common ways for an organization to fail compliance audits. According to the survey, 72 percent of organizations monitored or recorded privileged activity as part of their risk and compliance strategy.

Despite monitoring privileged account activity as part of their compliance strategy, only 18 percent of respondents use a privileged identity management solution to automate the process. This means that 82 percent of businesses are trying to harness thousands of critical vulnerabilities with manual processes, or solutions not designed to address the depth of the problem. This failure to address a known and growing issue is a leading contributor to some of the most devastating cyber-attacks since 2008. Industry best practice is to implement a privileged account management solution to automate these processes, enforce controls, while providing a clear audit trail for accountability and security.

Understanding Privilege Risks Does Not Equate to Securing Them

Figure 12 How do you monitor or record privileged account activity?

Manual/Paper-based

Home-grownsoftware

IAM-Oracle-CA-Etc.

PrivilegedIdentityManagementSoftware

SIEM-ArcSight-McAfee-Etc.

DAM-Guardium-Imperva-Etc.

Other

Figure 11 Does your organization monitor or record privileged accountactivity as part of its risk/compliance strategy?

72%

28%

Yes, we have definedprocess in place

No, we do not have adefined process in place

About Cyber-ArkCyber-Ark® Software is a global information security company that specializes in protecting and managing privileged users, sessions, applications and sensitive information to improve compliance, productivity and protect organizations against insider threats and advanced external threats. With its award-winning Privileged Identity Management, Privileged Session Management and Sensitive Information Management Suites, organizations can more effectively manage and govern data center access and activities, whether on-premise, off-premise or in the cloud, while demonstrating returns on security investments. Cyber-Ark works with more than 1,200 customers, including more than 40 percent of the Fortune 100. Headquartered in Newton, Mass., Cyber-Ark has offices and authorized partners in North America, Europe and Asia Pacific.

For more information, please visit www.cyber-ark.com. Media Inquiries: Christy LynchCyber-Ark Software, Inc.Phone: +1 617-796-3210Email: christy.lynch@cyber-ark.com

Brian Merrill fama PR (US) Phone: +1 617-986-5005 Email: cyber-ark@famapr.com

© 2013 Cyber-Ark Software, Inc. All rights reserved | www.cyber-ark.com 9.