Two-Thirds of Federal IT Managers Fear a Security Breach from Colleagues

The privileged access to multiple computer accounts enjoyed by agency administrators creates serious vulnerabilities that risk disclosure of sensitive data or personally identifiable information, according to a survey of federal information managers released Monday.

“With inadequate privileged account management in place, users - or cyber criminals posing as qualified users” could exploit critical security gaps, said Dell Software analysts in summarizing the survey of 150 federal information technology managers.

The polling was conducted in July in agencies with at least 1,000 employees—just after the White House launched its Cyber Sprint response to the June revelation of the breach of personnel files at the Office of Personnel Management.

As many as 63 percent of respondents said they view other employees as the greatest security risk, while fully 92 percent said general employees have access to more information than is necessary.

Some 89 percent said the risk of a security breach in their agency would be lowered if there were improved controls over privileged accounts. (When the same question was posed to 300 IT managers in the private sector, only 76 percent agreed on a need for more such controls.)

Only 68 percent of federal IT managers have a defined process for changing passwords when new programs are introduced—compared with 78 percent in the private sector, the survey found.

The biggest challenges to confronting external IT security threats, according to the federal managers, are first the changing IT environment (58 percent), followed by newly available technology (55 percent), followed by budget limits (40 percent).

Only 29 percent of federal IT managers responding said they change passwords monthly, while 53 percent said they change them every 30-60 days. Only 19 percent of respondents change administrative and privileged passwords on mission-critical systems and devices every 30 days, the survey found.

Less than 50 percent of respondents track or monitor administrative or privileged access at federal agencies, and too often multiple administrators share a common set of credentials, respondents said.

The results show that the White House-directed govermentwide Cyber Sprint after the OPM breach was effective in raising the issue of privileged access to agency systems, Paul Christman, vice president of federal for Dell Software, told Government Executive on Monday.

But the next step is to go beyond controlling through credentials to “privileged session management, or watching what the privileged users do,” Christman said.

Adding a second identifying factor such as a card or a secondary object will help control access, but the government also needs to monitor what the privileged users do with their identities—“which is what the survey validated,” he added.

“It’s like a credit card, which is a privilege,” Christman said. “But imagine if no one ever checked what you buy and you never had to pay the bill. That what’s what happens without monitoring user activity. The privileged users can do whatever they care to.”

(Image via Photosani / Shutterstock.com)