By automatically discovering and managing privileged accounts everywhere on the network, Lieberman Software helps secure access to sensitive systems and data, thereby reducing internal and external security vulnerabilities, improving IT productivity and helping ensure regulatory compliance. The company developed the first solution for the privileged identity management space, and its products continue to lead this market in features and functionality. Lieberman Software is headquartered in Los Angeles, CA with an office in Austin, TX and channel partners throughout the world. For more information, visit www.liebsoft.com.

In the following interview, Philip Lieberman, President and CEO of Lieberman Software, discusses 1:1 with Rake Narang, Editor-in-Chief of Info Security Products Guide, threats most enterprises are least prepared to subvert and the overall security landscape.

Rake Narang: What security threats are most enterprises least prepared to subvert?

Philip Lieberman: The lack of automated mass visibility into the security configuration and operation of workstation and servers is one of the greatest threats today.  Most organizations lack the tools for IT administrators to see and immediately mitigate security intrusions in real time.  This is not to say that the operating system manufacturers do not provide tools to perform one-by-one system inspections as well as the ability to create scripts.  However, in a security outbreak where minutes count and the ability to discover and quell an emerging problem is critical, most companies have little more than anecdotal notification from users about slow or peculiar results.

Without proper tools, most IT administrators are frequently caught flat footed and need to bring in outside assistance which are often delayed, making a bad situation worse.
We have seen scenarios in which a company has outsourced their IT to a contractor whose best interests are in inhibiting any automated products as well as tools to discover and mitigate threats rapidly.  In situations where the more time it takes to fix a problem is actually an incentive for contractors to make money, there will be a natural tendency with some contractors to make any bad situation worse and inhibit the introduction of any tools to improve efficiency.

Rake Narang: What are some of the most common but critical mistakes still happening in IT security?

Philip Lieberman: It seems that many IT shops continue to make the same operational mistakes year after year with the same negative consequences. 

Many recent serious breaches were the result of the unhealthy and risky practice of removing isolated silos of information and combining them into single large databases which are then connected or accessible to the Internet or via systems that are subject to compromise.  The concept of isolated silos of information with their own security and access is a time proven approach to security.  Unfortunately, in an attempt to reduce costs and improve convenience, systems that should never have been connected to the Internet, or accessible by systems connected to the Internet, have been compromised  -- leading to large and embarrassing data losses.  Silos are good and air-gapped silos are sometimes the only way to secure some data.  They are inconvenient, but so is the loss to the company of a compromise.

Among these bad behaviors is setting common Superuser and administrator accounts on multiple (or sometimes all) systems to the same never changing password.  This Common Credentials Dilemma means that if one machine becomes compromised and its internal password(s) discovered (look up Rainbow Table Attack on a search engine), any common account/passwords can be used to access other systems.  This is one of the ways that viruses such as Conficker spread.   
Even if there are no issues with Conficker, the existence of common passwords on multiple systems means that any existing or former IT staff member with this knowledge has access to more machines than they need or should have access to.  Consider that if there are common credentials and an employee with this knowledge leaves the company, these same never changing credentials mean that they will still have administrator access whenever they want.

Another issue is the use of spreadsheets with passwords that get spread throughout the organization.  Typically these passwords never change and there is little to no accountability as to who does what with this information.  Anyone who sees one of these passwords typically has unlimited access to do as they wish with the information.

The convenience of spreadsheets and common credentials make it easy for IT to do their jobs, but unfortunately this convenience removes accountability and potentially can lead to mass destruction of systems.  Solutions exist to remove common credentials, convert spreadsheet data to a secure and controlled data store, and systems exist to require password checkouts and perform automatic password changes without outages.  Unfortunately, many C-level executives don’t implement these systems and allow IT convenience to trump the long term security of the organization so that IT can be more convenient.

Rake Narang: Why does the overall security landscape appear to be getting worse instead of better?

Philip Lieberman: Security has gotten worse due to the perception of management that IT security is a cost center that must be relentlessly cut due to its services being nothing more than generic and fully replaceable by the lowest cost contractor that can be found. This has resulted in IT being a poor place to work and being an even worst career choice for many. This has also translated into the conversion of masses of loyal and knowledgeable employees into contractors that are moved and/or cut resulting in the loss of collective knowledge and wisdom in running IT.

Another disturbing trend has been the cavalier adoption of cloud based solutions with little regard to security by customers and total short shrift by many cloud providers. Cloud providers have hidden behind such inappropriate standards as SAS70 and self-directed audits. Even when such audits are reviewed by customers (and they are rarely read) customers would be shocked to find that the phrase “we conform to industry norms and best practices” actually means "we have nothing in place for security and that is the norm for all of us."

In general, when it comes to security, there are no free lunches and the relentless attempts to reduce costs and embrace the latest silver bullet of cloud based services will lead to even more reduction in security and ever greater consequences. The next great thing in IT to reduce cost, make data available, and applications slick, may be a silver bullet in a gun pointed at the temple of the corporate brain ready to go off at any time.

Company: Lieberman Software
1900 Avenue of the Stars, Suite 425,
Los Angeles, CA 90067 U.S.A.

Founded in: 1978
CEO: Philip Lieberman
Public or Private: Private
Products and Services: Lieberman Software's privileged identity management and security management products help large organizations mitigate complex IT security, reporting and auditing operations. Lieberman Software pioneered the privileged identity management space by releasing the first product to this market in 2001. Since then, the company has regularly updated and expanded its privileged password management solution set while growing its customer base in this vibrant and emerging market. Lieberman Software now has more than one thousand global customers, including over 40 percent of the Fortune 50.
Company's Goals: Building on its roots as the pioneer in the privileged password management and shared account password management space, Lieberman Software will continue to introduce new solutions to resolve the security threat of common local account credentials.