Think of all the routers, switches, appliances, and other devices that may be available and accessible on your network. Then consider all the ones that require some type of account to authenticate and gain access. How many of them potentially still have their default credentials? Not sure? Therein lies the problem, according to a recent blog post from security service provider SecurityHQ.
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
The problem with default credentials
In its blog post entitled “Notes from the Field. Don’t Default on Password Security,” SecurityHQ described the trap of default credentials.
Many hardware devices and their associated applications come with a built-in username and password so that administrators can gain initial access to configure them.
After the device is set up, good security practices dictate that the administrator change the default credentials to ones that are more secure and complex. But sometimes those built-in credentials remain in place, either for convenience or because of forgetfulness.
Now imagine that your organization is breached by a cybercriminal. The attacker typically scans your network to look for vulnerable spots, notes SecurityHQ. Such a scan can reveal which ports are open and accessible as well as which applications and devices still have their default credentials.
A quick search on the internet will usually reveal the default credentials for a specific product. And those are all the hacker needs to take over that device. If the compromised device or application is connected to a server on your domain, the attacker can then use the access to hack into other accounts and servers.
How to scan for default credentials
The first task you should take is to scan your network for default credentials, advises SecurityHQ. For this, you’ll want to tap into a vulnerability assessment tool. Such companies as Qualys, Nessus, and Rapid7 all provide tools that can look for applications and appliances that still have their default credentials. All three have free trials so you can test each one.
Resolve the problem
If you find any devices with their default credentials, SecurityHQ offers the following four recommendations:
- Once default credentials are highlighted, change or disable them immediately if they are not required.
- Ensure that new passwords are used and that these passwords are unique, long, and include a combination of different numbers, letters, and symbols. Do not use old passwords.
- Store the new unique passwords safely in a password manager or enterprise Privileged Access Management tool (PAM).
- Take this opportunity to evaluate if a public facing application or appliance is really meant to have such exposure. By limiting the exposure, you will help to reduce the attack vectors.