We started a new feature in our newsletter called “Touchdown Task.” Each month, we focus on a specific, measurable task you can use to firm up your own security strategy. This “Touchdown Task” focuses on authentication credentials. Here we go!
Goal: To identify and remove all network, system and application access that does not require secure authentication credentials or mechanisms.
What this task entails is finding all those systems and applications on your network that can be accessed without having to enter a user name or password; or that can be entered using a widely known default password. This is a very important task indeed! Our techs are often able to compromise the systems we test because of blank or poor passwords. This is especially dangerous since attackers of any skill level or even just the curious can take advantage of these blank or poor user credentials to poke around, access private information or even elevate their privileges and take control of the system!
There are a number of very common services and applications that come from the vendor with blank or well known default passwords. One of the most dangerous of these, and one we see all the time, is the SQL database. This software installs a blank SA administrator password and it is very easy to forget to change once the software is installed.
How do you find the blank and common vendor default passwords that may be present on your network? The best way is to perform an internal network vulnerability assessment (or have one performed for you by your security partner). There are a number of assessment tools available to carry out this task. Your organization most likely already has one in place. You can configure your assessment tool to perform these tests; isolating the data needed for this task from a more general security finding. Also make sure to check your FTP sites and file shares to ensure that they cannot be accessed anonymously.
To remedy the situation once suspicious access credentials have been found, simply change or install passwords that comply with your site’s information security password policy. Generally speaking, passwords should never be blank, widely known (default) or easily guessable. For example, your password should never be “password”, “admin”, “1234567”, “qwerty”, etc.
Passwords should also never be the same as the account name, the name of the organization, the name of the software package or other easily guessable possibilities. Good passwords should contain at least three of the four possible character types (upper and lower case letters, numbers, and special characters).
Undertaking this Touchdown Task is relatively easy and will prove to be truly valuable in protecting your network from attack! Give us a call if you’d like us to partner with you for security assessments.