Passwords represent the essence of network security. Most systems you interact with on a daily basis have some form of password-related access control. From network infrastructure devices to mobile endpoints and out to the cloud – there’s an untold number of systems that rely, sometimes solely, on passwords to keep things secure. But you have to be careful. I often find password-related security oversights in the most secure of environments. Here are some tips for things you need to be on the lookout for:
- Firewalls, routers, and wireless access points that have their own password standards, i.e. they don’t fall under the main Windows domain password policy. This includes both config– and enable-type passwords across all of your systems. I periodically come across firewalls where passwords have never been changed from the defaults or even set at all. Be sure to check all possible interfaces on these systems, including telnet, FTP, and web as the exposures and attacks surfaces can be quite broad.
- Weak Wi-Fi configurations that include simple WPA pre-shared keys, easily-cracked WEP encryption, and open guest wireless that provides access to production network segments.
- Phones and tablets that don’t require passwords at all. This one is very common, especially among the riskiest of users (business executives). Mobile exposures can be especially problematic when login credentials have been stored or cached within mobile apps and provide access to other areas of the environment.
- Web and database systems that have default or weak passwords or that otherwise facilitate password cracking, i.e. no intruder lockout is enabled. This can occur on core systems but I most often find this flaw on applications and databases that are seemingly benign such as dev and QA systems or systems believed (assumed) to be non-critical. This can directly expose personally-identifiable information or intellectual property or serve as a steppingstone to unauthorized access of critical systems within the network.
- Websites and cloud-based applications where business and personal login credentials are co-mingled. A breach of such a system or malware on a single user’s endpoint is all it might take to lead to a compromise of internal business systems otherwise presumed to be locked down.
Rather than these being intentional password security oversights, I think they’re simply a case of not being able to see the forest for the trees given how complex the average network is today. Still, all it takes is one weak password on one system to completely negate all other enterprise security controls. So, never forget that you could have the best security controls in the world but all it takes is one gullible and overly-willing user to provide their network login credentials when prompted with a cleverly-crafted phishing email.
Some people will argue that passwords are dead and we have to move on from such an archaic means of access control. That’s a great goal to have but it’s not realistic as I’m pretty sure we’re not going to see big changes in this area in the coming years. One or more of the password security risks I outlined above are present in most network environments and they’re likely creating tangible risks in your business today. It’s up to you to figure out where the weaknesses are and do what it takes both technically, culturally, and politically to address password issues where possible and necessary.
Subscribe to Blog
Receive notifications of new posts by email.