An innocent action performed by an Austrian teen recently affected the Twitter handles of BBC News and CNN accounts. He was experimenting with HTML when he exploited an open vulnerability in TweetDeck, Twitter’s social media management platform. Over 10.1 million of BBC News’s followers received a self-retweeting hack, in just seconds damaging the reputation of London’s most popular news source. BBC News and other large organizations weren’t the only ones affected: nearly one thousand Twitter accounts were hijacked. Users were prompted to immediately stop using TweetDeck and to reset their passwords, but unfortunately for many the damage was already done.
Social media compromises are becoming more prevalent, shedding light on the concern for organization’s password practices, and not just at the IT level. It isn’t just social media accounts that can cause damage to a company – human resources, accounting and even sales have accounts that, if compromised, could cause big problems. There is no better time to get password management under control than today. Here’s how to get started.
Social media, payroll and accounting systems are often shared accounts with a lot of power and should be treated with the same level of security as privileged IT account passwords. For full accountability and security, these shared accounts need to be locked down and audited. To begin, it is important to understand everyone’s responsibility and what accounts they should have access to. We recommend scheduling time with your organization’s department managers in order to create the proper role-based access controls and to get a better understanding of how they are managing their team’s shared passwords today.
Important Questions to Ask:
1.) What account passwords do your teams share?
2.) Who should have access to the accounts?
3.) Do any of these accounts need added security, like Require Approval for Access or Require Comment? If so, who is allowed to approve access?
4.) Do different groups use different accounts? For example, do you have a payroll team that only handles payroll, while an accounts receivable team uses a different set of accounts? (See the Folders section below for more ideas on account categories)
5.) How are you currently storing and sharing these passwords? (You will need this information later when you think about importing the passwords.)
6.) How many employees are in the department? Will they all need access to these passwords within Secret Server?
Creating the Basic User Role
Secret Server already has a Basic User Role configured with selected permissions. If there are changes you would like to make regarding the Basic User Role, like any Role in Secret Server, you can customize the permissions and make changes per individual.
Once you’ve configured the Basic User role to meet the department’s needs, import your new end-users into Secret Server and assign them the Basic User role. Now when they log in, they have access strictly to the Secret Server Basic user interface.
Although the Basic View does not show a folder structure, as an admin you can give each department a set of folders to use. This can help you assign Secret Policies at the folder level. Make folders for each department, based on the discussion you had with the department head earlier. Some departments may also want each employee to have a personal folder, which is possible if you allow personal folders within your main Secret Server account. Depending on the size and activities of each department, here are some sample folder categories that your business departments may want:
Marketing: Trade Shows, social media, digital advertising, website, video production, public relations, traditional advertising.
Accounting: Payroll history, benefits, job postings, compliance.
Human Resources: Bookkeeping, payroll, finance, tax.
Now it’s time to get started and populate Secret Server with your accounts. Users can easily add accounts, or Secrets, by clicking the ‘Create New’ button and then selecting the appropriate template.
This is also an important time to begin changing the passwords by having Secret Server generate a strong, unique password that no one will want to memorize, write down, or type out. Soon your end users will see just how handy the launchers really are.
Set length and complexity rules for all Secrets to enforce strong passwords. Enable the Launcher for all web Secrets and consider masking the passwords to make using Secret Server a necessary part of your users’ workflow.
Set expiration limits for each Secret. Because there are so many types of accounts used by these departments, they will likely have to manually change their passwords. To ensure they do so on a schedule, which can be especially important if your company has to meet compliance mandates, you can enforce expiration to indicate when it’s time to change a password.
Don’t forget to schedule some time to train each department. It won’t take long! Many of our customers say they can provide basic training within a half hour. During training, make sure that you:
- Explain why complex passwords, regular password changing, and auditing account usage is so important, even to non-IT departments. Use our story above to spark the conversation and don’t be surprised if they can share even more examples.
- Show employees how to view, create, edit and share Secrets. Remember, they won’t have complex permissions, so they can’t make custom Secret Templates.
- Explain how the Launchers work and show how to map fields if the web launcher doesn’t automatically find the username and password fields on a site.
- Show how to copy to clipboard.
- Give them a list of their folder structure and ask the department manager to explain what kinds of credentials belong in each folder.
- Tell them about the mobile apps, if allowed by your company.
Once your different departments begin to use Secret Server for their password management, they’ll realize the time saved having one centralized vault for all of their passwords. Another major advantage is the ability to access passwords on the run. Learn more about our adaptive view for mobile devices in our previous blog post. From a security perspective, being able to lock down access, have full accountability, and enforce strong passwords is critical in today’s threat landscape.
Give us your feedback
We would love to hear your story. How are your non-IT departments using Secret Server for increased security and what do they think? Leave your story in the comment box below.
Latest posts by Thycotic Team (see all)
- Predicting Potential Threat: Behavior Analytics & Threat Modeling - October 21, 2014
- (Video) Are You Following Password Best Practices? - September 23, 2014
- What is a smart grid and why should I care about it? - September 16, 2014