Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Saturday, 4 February, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Why are default passwords unchanged – industry views

by The Gurus
May 14, 2014
in Opinions & Analysis
Share on FacebookShare on Twitter

The continued use of default credentials, including passwords, was identified as a key security failing by the Information Commissioner’s Office (ICO) report this week.
 
Correlating with recent research by NCC Group, it seems that there is an expectation of things working out of the box so much that the security functions are not really considered. I put the question to some key industry spokespeople, and asked why people do not check the settings of such crucial things?
 
 

Andy Green, technical content specialist at Varonis
In many organisations there’s a tendency to focus on the latest malware, viruses or APTs. Companies invest in defences that scan and monitor for these specific threats at ingress-on the network or in emails but in trying to keep up with the latest APTs, IT underplays the threat from basic attacks, typically involving guessable credentials and more recently social engineering and phishing.
 
Verizon’s Data Breach Investigations Report, which covers security incidents on a worldwide basis, has been noting for many years that weak or defaults passwords have been involved in roughly more than half the intrusions. They’ve also been regularly pointing out that the solution is to deploy relatively simple “block and tackle” strategies– password lockout controls, two-factor authentication, and better monitoring of logs.
 

David Harley, senior research fellow at ESET
I think many people – even outside the security field – realise that static passwords, even ‘good’ passwords, are less effective than they used to be in terms of crackability – even less so if credentials aren’t well-protected by the service provider, in which case they’re all but useless.
 
I’m not sure what the article means by ‘default passwords’: if you’re going to allow the user to accept a default, it should at least be a cryptographically efficient, randomly generated password unique to that user, not ‘password’ or one of the other Top n bad passwords that are published time and time again. If it just means static passwords as the only means of authentication because that’s the ‘out of the box’ method,  I have to agree: the chances are that it’s being done that way because it’s cheap and easy to implement, and requires a minimum of effort from the customer, which often still trumps securing that same customer’s data.
 

Andrew Rose, principal analyst for security and risk at Forrester Research
IT operations guys are struggling with massive amounts of complexity, with interacting systems, layers and data repositories. Getting these to work can be an art, and leaving default passwords in place removes one layer of complexity and eradicates a possible failure point.
 
Similarly, when setting up these systems (and virtualisation has just increased the rate of system creation and setup), it removes an element of “what was the password?” constantly being asked by the different admins. I sympathise that IT ops guys are busy, but leaving defau
lt credentials is just sloppy behaviour.
 

TK Keanini, CTO of Lancope
People are still getting used to the fact that the internet is hostile and that they will be hacked if they don’t practice some level of security – and even then you will get hacked eventually. Vendors also need better practices to be secure by default.  While there could be a default password, the application should force a change as soon as the initial user logs in.
 

Andrew Barratt, managing director Europe at Coalfire
It’s still a fairly common problem in low-end (cheap) kit. However a lot of operating systems have removed the concept of a default password – neither Windows / Linux nor Mac OSX have them.
This tends to crop up with ‘appliance’ type devices which is almost worse in some respects as there is an over zealous expectation of security with some of these devices.
The problem is when it is with low end kit, you typically see them in volume, which then leaves lots of people vulnerable (and often in the SME space) all because the devices are ‘easier’ to set up and get working. Functionality fast – often trumps security in this space. Mainly because this means the SME-types don’t have to pay for external support to set them up properly. Or the people that are doing this are really entry level IT bods who are just throwing them in without much consideration for security.

FacebookTweetLinkedIn
ShareTweetShare
Previous Post

Ajax Security Team operated in grey area between hacktivism and nation-state sponsored

Next Post

Adobe Creative Cloud Is Down Worldwide

Recent News

london-skyline-canary-wharf

Ransomware attack halts London trading

February 3, 2023
Ransomware conversations: Why the CFO is pivotal to discussing and preparing for risk

Ransomware conversations: Why the CFO is pivotal to discussing and preparing for risk

February 2, 2023
JD Sports admits data breach

JD Sports admits data breach

January 31, 2023
Acronis seals cyber protection partnership with Fulham FC

Acronis seals cyber protection partnership with Fulham FC

January 30, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information