The continued use of default credentials, including passwords, was identified as a key security failing by the Information Commissioner’s Office (ICO) report this week.
Correlating with recent research by NCC Group, it seems that there is an expectation of things working out of the box so much that the security functions are not really considered. I put the question to some key industry spokespeople, and asked why people do not check the settings of such crucial things?
Andy Green, technical content specialist at Varonis
In many organisations there’s a tendency to focus on the latest malware, viruses or APTs. Companies invest in defences that scan and monitor for these specific threats at ingress-on the network or in emails but in trying to keep up with the latest APTs, IT underplays the threat from basic attacks, typically involving guessable credentials and more recently social engineering and phishing.
Verizon’s Data Breach Investigations Report, which covers security incidents on a worldwide basis, has been noting for many years that weak or defaults passwords have been involved in roughly more than half the intrusions. They’ve also been regularly pointing out that the solution is to deploy relatively simple “block and tackle” strategies– password lockout controls, two-factor authentication, and better monitoring of logs.
David Harley, senior research fellow at ESET
I think many people – even outside the security field – realise that static passwords, even ‘good’ passwords, are less effective than they used to be in terms of crackability – even less so if credentials aren’t well-protected by the service provider, in which case they’re all but useless.
I’m not sure what the article means by ‘default passwords’: if you’re going to allow the user to accept a default, it should at least be a cryptographically efficient, randomly generated password unique to that user, not ‘password’ or one of the other Top n bad passwords that are published time and time again. If it just means static passwords as the only means of authentication because that’s the ‘out of the box’ method, I have to agree: the chances are that it’s being done that way because it’s cheap and easy to implement, and requires a minimum of effort from the customer, which often still trumps securing that same customer’s data.
Andrew Rose, principal analyst for security and risk at Forrester Research
IT operations guys are struggling with massive amounts of complexity, with interacting systems, layers and data repositories. Getting these to work can be an art, and leaving default passwords in place removes one layer of complexity and eradicates a possible failure point.
Similarly, when setting up these systems (and virtualisation has just increased the rate of system creation and setup), it removes an element of “what was the password?” constantly being asked by the different admins. I sympathise that IT ops guys are busy, but leaving defau
lt credentials is just sloppy behaviour.
TK Keanini, CTO of Lancope
People are still getting used to the fact that the internet is hostile and that they will be hacked if they don’t practice some level of security – and even then you will get hacked eventually. Vendors also need better practices to be secure by default. While there could be a default password, the application should force a change as soon as the initial user logs in.
Andrew Barratt, managing director Europe at Coalfire
It’s still a fairly common problem in low-end (cheap) kit. However a lot of operating systems have removed the concept of a default password – neither Windows / Linux nor Mac OSX have them.
This tends to crop up with ‘appliance’ type devices which is almost worse in some respects as there is an over zealous expectation of security with some of these devices.
The problem is when it is with low end kit, you typically see them in volume, which then leaves lots of people vulnerable (and often in the SME space) all because the devices are ‘easier’ to set up and get working. Functionality fast – often trumps security in this space. Mainly because this means the SME-types don’t have to pay for external support to set them up properly. Or the people that are doing this are really entry level IT bods who are just throwing them in without much consideration for security.