Topics:

Amazingly true (and dumb) password practices

October 21, 2011 | By Caron Carlson

Tools

Cyber attacks are growing in sophistication and volume, and yet the latest techniques and malware aren't necessarily the ones to be the most feared. The age-old exploits and poor routine security practices are the ones that often get companies in trouble, reports Taylor Armerding at CSO magazine.

Sub-par password policies and practices are among the most common problems for enterprise network security, according to Rob Havelt, director of penetration testing at security vendor Trustwave. Too often, Havelt said, he finds that the password for administrative access is "admin" or it is left blank. Author of "Earth vs. The Giant Spider: Amazingly True Stories of Real Penetration Tests," Havelt impresses upon IT leaders the importance of fixing small flaws before they result in big problems.

One of Havelt's "amazingly true stories" recalls a Fortune 500 financial firm that was using an older PBX system and had a master default password for it. When his team was conducting penetration tests, they were able to use the default password to act as any user, having "better than administrative access." They got access to all voice mail, which they in turn used to call back a user who had left a message about an IT problem. In that one phone call, they managed to get the employee's user name, token pin and domain password. With the domain password, they were able to access the wealth management system and the Department of Homeland Security Watch List, he said. All because of a master default password on the PBX system.

While testing for a large manufacturer, Havelt's team managed to hack into its HD security cameras, some of which were monitoring desks. It didn't take much for them to then zoom in on keyboards, gather passwords and break into other systems. "I wish I could tell you that these are isolated instances, but they're not. There are thousands of cases," Havelt said.

To avoid ending up the victim of an age-old flaw like these, more penetration testing may be in order, Havelt (naturally) suggests.

For more, see:
- Taylor Armerding's article at CSO magazine

Filed Under

network security, Password Management, passwords, Penetration Testers

Comments

View the discussion thread.

Latest Commentary

An IT leader's 'aha' moment in user adoption

Unnecessary wireless expenses waste bundles

How to save money and turn your managers into green advocates

ITU's 'Tech Needs Girls' campaign can use your help

Smartphones, parties and videotape

Social Business ForumJune 4-5, 2012 — Milan
info360 Conference & ExpoJune 12-14 — New York
SPTechConJuly 22-25 — Boston

MORE EVENTS

Topics:

Amazingly true (and dumb) password practices

Filed Under

Comments

Popular Stories

THE LIBRARY: EBOOK

Latest Commentary

EVENTS

Press Releases

Featured Jobs

Sponsored Links

A publication of FierceMarkets

The FierceMarkets Network:

Telecom

Healthcare

Government

Energy

Life Sciences

Enterprise IT

Finance

Topics:

Amazingly true (and dumb) password practices

Filed Under

Comments

Join 33,000+ Insiders SIGN UP FOR OUR NEWSLETTER

Popular Stories

THE LIBRARY: EBOOK

Latest Commentary

EVENTS

Press Releases

Featured Jobs

Sponsored Links

A publication of FierceMarkets

The FierceMarkets Network:

Telecom

Healthcare

Government

Energy

Life Sciences

Enterprise IT

Finance