Dealing with Bad Practices
Shared accounts
Shared accounts refer to any resource that utilizes a sole pair of credentials to authenticate many users. Shared accounts are not considered good practice; as such, they are bad practice. This is because they make it hard to identify the actual user and they make it possible for individuals with malicious intent to utilize them with anonymity (Anderson & Mutch, 2011). Also, accounts utilized by a shared group of users usually have poor passwords that malicious individuals can easily guess. More so, users do not adjust these accounts’ passwords regularly or when a group member leaves. This puts multiple systems at risk of being compromised in the event the members who left the group share the passwords with outsiders.
Unique user accounts, no password required
This is a bad practice because it poses many dangers to multiple IT systems. For one, the lack of a password may put the confidentiality, integrity and availability of a company’s data and resources at risk of being compromised. For instance, unauthorized persons can easily get access to these accounts, get hold of confidential information and steal it (Afonin & Katalov, 2016). In some instances, these persons may alter the original data thus compromising its integrity. The lack of a password also puts a company at risk of being a victim of fraud. People with malicious intents can easily access these accounts and use them to defraud people, move money etc. and then leave.
Unique user accounts, password never needs to be changed
Unique user accounts where password never needs to be changed are a bad practice. This is so because to begin with, this practice increases the risk of constant access by hackers. Once a hacker knows the password of the account, he/she may attempt to access these accounts more than once over a period of time and do what they will with the account. This practice also serves to increase access gained by keystroke loggers. A keystroke logger refers to a technology that focuses on surveillance, and it is utilized in recording keystrokes (Kim & Solomon, 2016). Never changing the password increases the keylogger’s success in identifying the password and other login details being used in the unique user accounts. As such, the hacker can leverage this to steal important information from the computer systems. Moreover, never changing the password makes it more likely that passwords obtained through this approach will be useful to attackers for a long period of time.
Administrators have used their privileged accounts to perform basic user activities
The practice of administrators using their privileged accounts to carry out basic user activities is very dangerous. This practice makes it easier for hackers to introduce malware to the accounts through a phishing attack or obtain the credentials of the administrator by utilizing impersonation; this is particularly a frequent attack in the Microsoft Windows environment. In this regard, the subsequent phishing attack can lead to theft of company information, and a result, the company can experience significant financial losses, and damage to its reputation. Gaining the administrator’s credentials can also make it possible for attackers to infiltrate the company’s systems and instigate more attacks so as to steal more information. This practice increases the risk of accidental errors as well. Privileged access allows the administrator to bypass access controls, and for this reason, errors made by the administrator may have catastrophic results, leading to loss of data or substantial downtime. For instance, on a Unix system, an additional space may change “rm –Rf /tmp/olddata” into “rm –Rf / tmp/olddata”, deleting the whole file system. This is a kind of error that leads to data loss.
References
Afonin, O., & Katalov, V. (2016). Mobile forensics – Advanced investigative strategies. Packt Publishing.
Anderson, B., & Mutch, J. (2011). Preventing good people from doing bad things: Implementing least privilege. Apress.
Kim, D. & Solomon, M. G. (2016). Fundamentals of information systems security. Jones & Bartlett Publishers.
