Network Critical - The Window to your Network

Losing by Default


In sports if one team does not have enough players to field a team they lose by default. In a court of law, if the defendant or the plaintiff does not show up they lose by default. This is the easiest win for the victorious party. Not a drop of sweat was produced. There was no risk of injury or embarrassment. The only thing the victors had to was show up and they get to notch a “W” on their record or take home the trophy.

This is also the most disappointing loss for the party on the other side. They may have had other priorities. They may have forgotten the date of the contest. They may have been stuck in traffic. No matter the reason, they still lose. In amateur sports the loss is mostly pride and bragging rights at the local pub. In court, the loss could be costly in property or currency. In many cases, the loss could have been prevented had the loser been more diligent in managing their calendar or more focused and committed to the contest.

What does this have to do with cyber security or data breaches? The moral of this story is that cyber criminals are being handed default wins every day. They must be saying, “I can’t believe how easy this is!” It is easy because those in charge of safeguarding their critical network infrastructure and its contents are not as focused, diligent and committed as they could be/should be. Here is one important example that is exploited often but is easy and inexpensive to fix.

Default Username and Password
Default username and passwords are used by manufacturers to allow initial access to system hardware and software for the purpose of initial configuration or to restore after resetting the system to its factory default settings.

A Tripwire study concluded that 30% of IT professionals and 46% of users do not change passwords from the manufacturers default setting. This is a dangerous practice as all of the manufacturers default settings are available on the internet to anyone who knows how to search “default settings!”

What is worse is that these initial user name and password settings generally provide full administrative access privileges. This means that with these passwords the hacker will have total access to the system, be able to change settings IP addresses.

An Interesting Conundrum
Computing and networking is no longer the singular domain of the IT department. With BYOD, multiple device access, and a panoply of applications running in the business world, network access is the required of nearly every worker. So, the company that believes the network is secure because the IT department is skilled and savvy is wrong. Every employee who has access to email, web and other corporate applications needs to be educated on network security protocol and be diligent with their access privileges.

Changing from default settings to a strong user name and password immediately upon accessing any new device is a critical step in keeping hackers our of the network. The conundrum is this…a simple password is easy to remember, easy to enter and, therefore convenient for the user. A strong password is hard to remember, difficult to remember and a pain in the backside for the user. So, what will the typical user do when forced to create strong passwords? They will write the password down on a post it note or enter it in the notes section of their device. In other words they will make the password easy for hackers to find. Thus the strong password now becomes a weak password.

Solutions?
There are password technologies such as Single Sign On and LDAP that can assist users with access while providing strong password protection. Network security training on a consistent basis with all employees (not just computer related functions) is another important step. Employees need to understand that strong passwords are inconvenient but necessary and entering passwords in notes, pretty much defeats their purpose.

Regardless of password strength, changing from the default password to a new, unique password is still better than taking no action. No one should allow a globally published default password to control access to the corporate network.

Final Note
Regardless of how good your password policy, how hard you train employees, and how severe of the consequences for policy violation, there will be a sub-set of employees who opt for the convenient rather than the secure option. It is important for networks to have perimeter network protection such as Next Generation Firewalls with Intrusion Prevention, Data Loss Protection and other access security appliances protecting the network.

Posted: 28/04/2017 14:49:12 by Network Critical with 0 comments
Trackback URL: http://www.networkcritical.com/trackback/fa5c43bc-d4a9-4712-86d3-a512c171f861/Losing-by-Default.aspx?culture=en-GB

Comments

Blog post currently doesn't have any comments.