Part three of a three-part series on system access assessments

Even with cybersecurity as a hot topic in recent years, hacking into your system might still be embarrassingly easy. How easy, you ask?

This easy: Within minutes, an auditor we know was able to log into a coffee company’s huge IBM system.

He discovered the security problem while preparing to meet with the CFO on cybersecurity. To everyone’s surprise, the auditor showed up to the meeting with a stack of the company’s employee accounts. Not a happy start to a meeting.

So how did he log in?

He simply used generic ‘Administrator’ credentials. These are the factory default configurations that are embedded in your systems, devices and appliances. They’re great for initial testing and installation—but not so great after the system is deployed.

Hanging on to your default passwords is a huge risk. It’s nearly impossible to hold your users accountable for their actions when they’re all sharing the same credentials. Also, attackers can easily find default passwords because many are printed in product documentation or made available online.

The consequences can be huge, too. In a published alert, the Department of Homeland Security reported seven major incidents caused by not changing default passwords. One even involved a fake warning about zombies through the Emergency Alert System.[1]

There are three ways you can prevent your default passwords from causing a zombie apocalypse.

The first is to get an access rights assessment from a reputable cybersecurity company. An access rights assessment identifies the gaps in your system, including software, systems and services that are using default passwords. Here are some of the areas that are assessed:

  • Routers, access points, switches, firewalls, and other network equipment
  • Databases
  • Web applications
  • Industrial Control Systems Remote terminal interfaces
  • Administrative web interfaces

The second is to follow a remediation plan. In other words, you’ll be guided through the steps to building cyber resilience. This includes changing all default passwords, using multifactor identification and restricting access based on “the principle of least privilege.”

The third way to prevent an attack is to keep monitoring your system. This is about maintaining good cyber hygiene. Your cybersecurity company will continue to ensure that default passwords don’t linger in your systems, devices and appliances.

Don’t make it easy for attackers to access your critical systems. You can avoid unnecessary exposure by following these three preventative steps when it comes to default ‘Administrator’ credentials.

Umesh Verma, CEO, Blue LanceUmesh Verma is the award-winning CEO and driving force behind Blue Lance, the global provider of cybersecurity governance solutions. For more than 25 years, Blue Lance’s automated software solutions have been protecting digitally managed corporate assets by assessing, remediating, and monitoring security of information systems. Call Blue Lance at 1-800-856-2586 for your 25-point Access Rights Assessment, or get social with us on LinkedInFacebook, or Twitter.

 

[1] United States Computer Readiness Team, “Risks of Default Passwords on the Internet,” Department of Homeland Security, https://www.us-cert.gov/ncas/alerts/TA13-175A, last accessed April 5, 2017