T 2.111 Exposure of login data relating to change of service providers

When an organisation changes IT service providers, a variety of login data usually needs to be changed. This then leads to multiple communication of old and new login data. When this data is transferred insecurely, there is a risk of adverse affects on the confidentiality of the login data and, indirectly, on the integrity of the IT environment.

The login accounts used by a service provider are usually accounts possessing wide-ranging authorisations in the information system examined. Normally, only the user should know his or her password. Even old passwords are generally considered confidential information. In practice, though, the new service provider is often provided with a current, main password. Until the new service provider assigns new passwords to all consoles and applications, the old password could be misused by unauthorised third parties. Depending on the configuration of the system (e.g. on the service accounts, certificate services, etc.) and the organisation, it may be impossible to change the passwords quickly and without difficulty.

In many cases, the client itself is unable to administer the user accounts for the external service provider in a secure manner and may need to leave this task up to the new service provider. Situations such as the shared use of user accounts (account sharing) or the threats described in T 3.16 Incorrect administration of site and data access rights and T 3.43 Inappropriate handling of passwords can be the result.

In some cases, the client itself either no longer has any information on which login accounts have administrative authorisation or may only be able to obtain this information through the regular notifications of new passwords sent by the service provider (account sharing). In each of these cases, the service provider makes the corresponding decisions and takes the corresponding action. The client itself no longer has its own information on access data that it can use to implement strategic decisions. This situation corresponds to an environment with a high degree of outsourcing. It poses a high risk of threats to the system security when the rules and safeguards for outsourcing do not meet the security requirements and were not stated clearly in Service Level Agreements (SLA).

Overall, situations in which critical administrative accounts are handled with even less care than normal user accounts are often encountered because the established standards of the company or the government agency for handling user accounts were disregarded and no procedures or guidelines were specified for handling administrative accounts when changing service providers.

Example:

In small companies, the central server is often administered by someone from outside the organisation. This person then has the password for the main administrator account in this case.

In many cases, no other user in the company has access to an administrative account, not even the managing director. Instead, the managing director commonly stores the password for the main administration account in a safe. When a new service provider is contracted, the service provider is provided with this password. Sometimes there is not even a maintenance contract or any other type of long-term agreements on the type of outsourcing or procedures with any of the corresponding external personnel. Under certain circumstances, the old service provider may change the password and then terminate the service unexpectedly and without warning. In this case, it is impossible to administer the system again until the new password is obtained by requesting it from the old service provider or determining it using technical means.