"As a result, we basically had a situation where we couldn't get his current data that he had done for the day," said Edwards, now a senior network administrator for eLink Communications, Inc., an Internet service provider (ISP) in Bethesda, MD.
Edwards also saw how an employee that disliked another fired employee accessed a VPN using the terminated employee's password and sent hateful e-mails to supervisors in the organization under the fired employee's name.
These examples demonstrate why IT managers must control VPN password use in their organization and delete passwords when they are no longer needed.
VPN use and risk increase
Passwords are necessary for secure access to a VPN. They're also one of the only ways an organization can protect its VPN. "Passwords really are the only line of defense today between an intruder and your data," said Tom Rose, the vice president of marketing for Courion, a provider of self-service identity management solutions, in Framingham, MA.
The need for secure passwords is increasing simply because VPN use is rising. John Doyle, the director of product marketing for Corporate Edge Services for Nortel Networks, said that Nortel Networks sells VPN services to all types of companies, government entities, and carrier partners that offer managed VPN services.
This overall growth means that VPNs are more important to an organization's productivity. "There are two principle applications for VPNs," said Doyle. "One is remote access. That would be the stuff that you're doing when you dial in from home. And then there's the branch-to-branch stuff. That would describe most companies." He adds that users in an organization's branch offices need network access from anywhere, at any time, and that VPNs meet this need.Protecting your network is one reason each user in your organization needs a VPN password and also the reason IT managers need to focus on managing passwords to prevent abuse.
If the idea of turning over one password to each user makes you shake in your boots, it should. "With a VPN, you can access through anybody's ISP on basically anyone's network," said Edwards. "So if an employee leaves, he could very well go home and either still get sensitive information off the network or still send out e-mails basically using your company's service for his own good," he said.
In the wrong hands, a single VPN password can open up an entire network to a malicious user or hacker. "VPN passwords are the keys to the kingdom," said Marty Roesch, the president and founder of Sourcefire, Inc., a provider of network monitoring infrastructure solutions in Columbia, MD.
Staying on top of password use is the easiest way managers can protect VPNs. "You use a VPN to secure your point-to-point communications, so if it's secured via passwords and you don't have good password control mechanisms, then you run the risk of a password getting out," said Roesch.
How to manage IT passwords
IT managers should establish a system to track passwords to know when certain passwords are no longer needed. For example, when an employee leaves the organization, you should uninstall those passwords immediately. Here are other password management tips:
- Refresh passwords at least every 60 days. "Obviously, the more frequently you refresh your passwords, the more difficult it becomes for a hacker to compromise a password or obtain one," says Rose.
- Explain to users why they must be careful with VPNs. Tell them that it is impossible to deploy security software to users outside of an organization's network and that they cannot trust external computing platforms.
- Encourage users to use other forms of protection at home. For example, establish a policy that states that users must use firewalls and other protection solutions that are approved by the organization.
- Force users to create strong passwords. Managers should especially encourage a user with "12345" as a password, for example, to change it for security reasons. Longer passwords that are a mix of letters, numbers, and symbols are stronger than one-word or number-string passwords.
- You can use an automatic solution. For example, Courion makes and distributes PasswordCourier, an application that enables managers to securely reset forgotten passwords or automatically delete expired ones. The application can also tie all of a user's passwords together into one central location where they can be changed or updated automatically.