Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

End User Privilege Management Could Have Avoided DreamHost Hack

Avecto : 24 January, 2012  (Technical Article)
Avecto comments on the DreamHost hack resulting in reseting user passwords for their protection, saying it could have been avoided with improved user privilege management
End User Privilege Management Could Have Avoided DreamHost Hack
Commenting on reports that DreamHost, the US West Coast-based hosting provider, has reset all of its many users passwords in the wake of a hacker incursion into its systems, Avecto says the hack could probably have been prevented through the effective management of end user privileges.

According to Paul Kenyon, Chief Operating Officer with the Windows privilege management specialist, by controlling exactly who has access to specific applications on the hosting provider’s servers, the company would have helped prevent hackers from even starting to compromise the member’s credentials as they appear to have done.

“We know that DreamHost's shared and dedicated hosting network consists of a series of Web servers and that the controlling software is a customised application that was developed in-house. If the developers had integrated privilege management software into their customised applications from the ground up, then the user’s credentials would not have been accessible from the public Internet,” he said.

“Privilege management software is all about empowering users to do their job. By effectively managing access to the software to specific users, and specific terminals, even if the hackers gained access to the IT staff credentials, they could then only access the relevant software from within the corporate network,” he added.

Putting it simply, the Avecto COO went on to say, this form of software security means that the IT admin credentials would only work from nominated terminals within DreamHost’s network. Hackers coming from outside the network – and on the Internet – would have been blocked.

This policy driven privilege management approach, he explained, means that where there is least privilege there is least risk.

As we said late last year when we identified that the financial sector is ahead of the curve when it comes to security, cybercriminals are now focusing their attacks as they attempt to further monetise their malware programs, he noted.

Our observations, says Kenyon, suggest that there is a significant security threat associated with excessive user rights and that no amount of user auditing and log files can solve this problem.

“It is therefore essential that IT security professionals should not compromise their security for the sake of delivering functionality. Privilege creep is a common problem that a growing number of security professionals are aware of - and have acted upon to help mitigate the risk,” he said.

“That said, many sectors of the IT industry are still catching up, leaving their systems exposed to the dangers of admin right abuse. We know that many professionals are continuously struggling to control unsecure third party programs - such as browsers, games, animations and password crackers - that are able to run, even in the most secure software environment,” he added.

“The strategic whitelisting and blacklisting of applications and programs ensures that malicious code and content can be blocked to create a more secure environment. Building this type of security into a customised set of applications software is therefore a must-have for anyone in the IT software development arena.”
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo