By Alastair Hartrup, global CEO of Network Critical.
In sports if one team does not have enough players to field a team they lose by default. This is the easiest way to win for the victorious party. Not a drop of sweat was produced and there was no risk of injury or embarrassment. The only thing the victors had to do was show up and they get to take home the trophy.
On the other side, this is also the most disappointing loss for the losing party. No matter what their reason is for not showing up, they still lose. In amateur sports the loss is mostly pride and bragging rights at the local pub but in cyber security it has much dire consequences.
Cyber criminals are being handed default wins every day. It is easy to see why those in charge of safeguarding their critical network infrastructure and its contents are not as focused, diligent and committed as they could and should be. In order to show this, here is one important example that is exploited often but is easy and inexpensive to fix.
Default Username and Password
Default username and passwords are used by manufacturers to allow initial access to system hardware and software for the purpose of initial configuration or to restore after resetting the system to its factory default settings.
A Tripwire study concluded that 30% of IT professionals and 46% of users do not change passwords from the manufacturers default setting. This is a dangerous practice as all of the manufacturers default settings are available on the internet to anyone who knows how to search "default settings!"
What is worse is that these initial user name and password settings generally provide full administrative access privileges. This means that with these passwords the hacker will have total access to the system, be able to change settings IP addresses.
An Interesting Conundrum
Computing and networking is no longer the singular domain of the IT department. With BYOD, multiple device access, and a panoply of applications running in the business world, network access is the required of nearly every worker. So, the company that believes the network is secure because the IT department is skilled and savvy is wrong. Every employee who has access to email, web and other corporate applications needs to be educated on network security protocol and be diligent with their access privileges.
Changing from default settings to a strong user name and password immediately upon accessing any new device is a critical step in keeping hackers our of the network. The conundrum is this...a simple password is easy to remember, easy to enter and, therefore convenient for the user. A strong password is hard to remember, difficult to remember and a pain in the backside for the user. So, what will the typical user do when forced to create strong passwords? They will write the password down on a post it note or enter it in the notes section of their device. In other words they will make the password easy for hackers to find. Thus the strong password now becomes a weak password.
There are password technologies such as Single Sign On and LDAP that can assist users with access while providing strong password protection. Network security training on a consistent basis with all employees (not just computer related functions) is another important step. Employees need to understand that strong passwords are inconvenient but necessary and entering passwords in notes, pretty much defeats their purpose.
Regardless of password strength, changing from the default password to a new, unique password is still better than taking no action. No one should allow a globally published default password to control access to the corporate network.
Regardless of how good your password policy, how hard you train employees, and how severe of the consequences for policy violation, there will be a sub-set of employees who opt for the convenient rather than the secure option. It is important for networks to have perimeter network protection such as Next Generation Firewalls with Intrusion Prevention, Data Loss Protection and other access security appliances protecting the network.