I remember once being overwhelmed by an independent product review published in the US Airways in-flight magazine; it was for an energy-boosting supplement that sounded absolutely fantastic. I was ready to go out and buy it; when I happened to mention in coversation how cool this product sounded (and the fact that I had read this review of it), I was informed that the "review" was really an advertisement. And, sure enough, I had missed the small print that said "special advertising section" above the review. In that case, I neglected to fully understand who published the review I was reading, and what the intended purpose was - had I known that it was intended to promote the product, I probably wouldn't have had the same reaction to the positive "review".
Now before I get into how this anecdote applies to security, let me say that it's not my intention to do down any vendor's research; I have *NO PROBLEM* whatsoever with vendors publishing research that benefits them, that helps people look at a product in a different way, or that helps people understand a product's suitability for their enterprise. All that stuff is perfectly grand. However, just like it was important for me to understand the motivation for the review in the US Airways magazine, it's important for readers of these vendor documents not to forget why these things are published. Specifically, vendors are doing this stuff to forward their marketing goals - not as a public service. By the time most of these things reach your inbox, they have been carefully vetted, edited, and redacted to make sure that every aspect of the publication is in tune with the corporate marketing message.
Here's my point: statistics can be represented any number of ways, right? And vendors who manufacture a product are more likely to draw conclusions from data that favor their product, right? Not because they are dishonest, mind you - just because they have skin in the game. And there's nothing wrong with that. But between the malleability of the statistics and the fact that the majority of the research is published without a transparent methodology or intermediate data, you're left at the end of the day with an artifact that (while useful for the vendor) should probably be read and understood by folks with their eyes wide open to the point of the document.
Now, in the past I've ranted about malware numbers from Symantec and McAfee, web application numbers from Fortify, email statistics from MessageLabs et al, and so on. This time, I happened to come across the CyberArk Privileged Password Survey via an article on the Register saying that administrative passwords are "abysmal". OK, I'll bite: how abysmal are they? Well, according to CyberArk, a manufacturer of software for securing administrative passwords, they stink on ice. Check out some of the conclusions from their research and their press release:
- "Approximately half of all enterprises have more privileged passwords than personal ones"
- "Privileged passwords are more powerful but less likely to be changed"
- "...up to 42% [of privileged passwords] are never updated..."
- "A major risk for hacker attacks and failed audits"
OK. So, are these things true? As with most vendor research, it depends on your point of view... For example, if you say there are "more privleged passwords than personal ones" - that's a startling statistic and one that's likely to get press attention. But is it useful as a barometer for the overall security of administrative passwords for our industry? Probalby not. Look, for example, at the support for this statement in the Cyber-Ark research:
* More than 500 employees, and each employee has an Administrator account associated with their workstation (72%)
* More than 500 servers with privileged password accounts (44%)
* More than 100 routers with privileged password accounts (41%)
* More than 100 software applications (71%), most of which connect with other applications (92%)
And guess what? All of these supporting facts are probably 100% accurate. But where it gets murky is not in the data but in the conclusion. For example, the majority of the "privileged accounts" in this analysis are comprised of local machine Administrator on desktops; specifically, the interpretation assumes a 1:1 ratio between workstations and employees with an admin account on every desktop. But where this falls down is in looking at publicly-avialable data conducted at taxpayer expense that suggests that 1:1 for this values is not the case. Instead, the data suggests that 1:1 is the saturation point for the workstation to employee ration and not a typical value. Consider for example, the most mainstream of all American corporations - Walmart. Is it the case that every Walmart employee has a workstation? How about the guy with the iron-lung who hands out the carts, the person putting out the produce, the individual ringing up merchandise... Clearly, they do not.
But moving beyond that... even if every employee did have a workstation, the ramifications of this fact depend on your interpretation of "privileged account". For example, is a workstation's local administrator account at the same level of risk and significance as a Unix server's root account? I happen to think that these two things are very different - but the Cyber-Ark methodolgy assumes they are the same thing. Should they be treated the same in drawing conclusions? Maybe, maybe not. Hmmm.... murky.
Or take the idea that these administrator passwords make it more likely that you will fail audits; where's the evidence for this? Say, for example, you're a government entity regulated under FISMA; you follow - to the letter - the guidance from the NSA for configuring your workstations and you proceed to get audited by your IG. Are you likely to fail your audit or not? I would argue not. Again, the Cyber-Ark numbers are probably accurate, but one would probably be more inclined to disagree with the conclusion than agree with it in that scenario.
Posted by Ed at October 5, 2006 12:30 PM | TrackBack