Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Default configurations can be massive vulnerabilities. Here are a half dozen to check on for your network.

Figure 1:
Plug and play is an alluring promise and a dangerous reality when it comes to devices attached to an enterprise network. It's great when the device is able to handle all the network protocols and handshaking without human intervention. But when those humans get swept up in the exhilaration of the plug-and-play moment and forget to change some widely known defaults, the convenience can quickly become a vulnerability.
When most people think of dangerous defaults, they think about admin account names and passwords. There's no question that these widely available credentials that ship as defaults on devices can be significant vulnerabilities if they aren't changed during initial configuration (as pretty much every vendor suggests you do). But there are other configuration items that can be just as dangerous in slightly different ways.
There have been numerous incidents in which the default configuration of cloud services or applications left both the infrastructure and data vulnerable to attack. One could use an overly broad brush to paint anything with the word 'public' as a configuration default to be something that should be treated as a threat. But vendors and service providers have been closing those vulnerabilities, and they are now far less common than they were in the middle of the 2010s.
Before getting into the specifics of some of the defaults that should be on security pros' radar screens, we should say without reservation that no default username or password should ever survive the initial setup session. In a reasonable world (we won't stretch as far as 'perfect'), everyone setting up a service, application, or piece of hardware would change the admin user name and password as soon as the configuration scripts allow — so we can agree that if the things that follow are a vulnerability, something has gone wrong in the process.
With that said, humans — and human-created processes — are fallible. Just in case your organization has either humans or processes that are susceptible to failure, here are a half-dozen products and services that you should look for on network scans. And to be sure — if you can find them, the odds are reasonably good that a curious hacker with access to Shodan can find them, too.  
(Image: momius via Adobe Stock)

Plug and play is an alluring promise and a dangerous reality when it comes to devices attached to an enterprise network. It's great when the device is able to handle all the network protocols and handshaking without human intervention. But when those humans get swept up in the exhilaration of the plug-and-play moment and forget to change some widely known defaults, the convenience can quickly become a vulnerability.

When most people think of dangerous defaults, they think about admin account names and passwords. There's no question that these widely available credentials that ship as defaults on devices can be significant vulnerabilities if they aren't changed during initial configuration (as pretty much every vendor suggests you do). But there are other configuration items that can be just as dangerous in slightly different ways.

There have been numerous incidents in which the default configuration of cloud services or applications left both the infrastructure and data vulnerable to attack. One could use an overly broad brush to paint anything with the word "public" as a configuration default to be something that should be treated as a threat. But vendors and service providers have been closing those vulnerabilities, and they are now far less common than they were in the middle of the 2010s.

Before getting into the specifics of some of the defaults that should be on security pros' radar screens, we should say without reservation that no default username or password should ever survive the initial setup session. In a reasonable world (we won't stretch as far as "perfect"), everyone setting up a service, application, or piece of hardware would change the admin user name and password as soon as the configuration scripts allow — so we can agree that if the things that follow are a vulnerability, something has gone wrong in the process.

With that said, humans — and human-created processes — are fallible. Just in case your organization has either humans or processes that are susceptible to failure, here are a half-dozen products and services that you should look for on network scans. And to be sure — if you can find them, the odds are reasonably good that a curious hacker with access to Shodan can find them, too.  

(Image: momius via Adobe Stock)

Figure 2:Cisco Configuration Professional
Cisco Configuration Professional is a utility program that professionals working in networking have likely seen. Most, if they use the program, will have changed the default 'cisco/cisco' username and password to something that conforms to their organization's policies. If they neglected that step, then there could be serious issues ahead.
As the name implies, Cisco Configuration Professional is a tool for configuring certain Cisco routers, either at the time of initial deployment or after they're already in the field. The ability to configure and change any facet of a router's behavior makes this an incredibly powerful program -- and one that could be quite useful for malicious purposes in the wrong hands.
The most dangerous situation involving this program is when it is left on an administrator's system (or a system with administration privileges) without an updated set of credentials.
(Image: metamorworks via Adobe Stock)

Cisco Configuration Professional

Cisco Configuration Professional is a utility program that professionals working in networking have likely seen. Most, if they use the program, will have changed the default "cisco/cisco" username and password to something that conforms to their organization's policies. If they neglected that step, then there could be serious issues ahead.

As the name implies, Cisco Configuration Professional is a tool for configuring certain Cisco routers, either at the time of initial deployment or after they're already in the field. The ability to configure and change any facet of a router's behavior makes this an incredibly powerful program -- and one that could be quite useful for malicious purposes in the wrong hands.

The most dangerous situation involving this program is when it is left on an administrator's system (or a system with administration privileges) without an updated set of credentials.

(Image: metamorworks via Adobe Stock)

Figure 3:Cable Modems
Employee home networks have been part of the enterprise network as long as employees have carried work home to pore over at night. That's true whether they're working on company-supplied computers or their own home systems. Either way, a door into your enterprise data is open outside your organization's control.
The vast majority of employees will have Internet service provided by their cable television provider. And for many of those employees, the cable modem will sit in a closet (or on top of a cable receiver) with the default admin credentials until it's destroyed by a random lightning strike.
Cable modems are infamous for using 'admin/admin' or even 'admin/' as their username/password pairs by default. Even if they don't use this specific pair, cable modems tend to have default credentials that are easily guessed or fuzzed. Employees should be urged to change their passwords immediately, and the cybersecurity staff should be prepared to help them with this, no matter which cable modem is involved.
(Image: jeremy via Adobe Stock)

Cable Modems

Employee home networks have been part of the enterprise network as long as employees have carried work home to pore over at night. That's true whether they're working on company-supplied computers or their own home systems. Either way, a door into your enterprise data is open outside your organization's control.

The vast majority of employees will have Internet service provided by their cable television provider. And for many of those employees, the cable modem will sit in a closet (or on top of a cable receiver) with the default admin credentials until it's destroyed by a random lightning strike.

Cable modems are infamous for using "admin/admin" or even "admin/" as their username/password pairs by default. Even if they don't use this specific pair, cable modems tend to have default credentials that are easily guessed or fuzzed. Employees should be urged to change their passwords immediately, and the cybersecurity staff should be prepared to help them with this, no matter which cable modem is involved.

(Image: jeremy via Adobe Stock)

Figure 4:Raspberry Pi
The Raspberry Pi is not sold as an enterprise computing platform. That's good, because it's definitely not such a platform. But institutional and enterprise networks have found themselves playing host to the diminutive single-board computers as employees have brought them in for a variety of purposes. And as employees have brought the computers, they've brought their vulnerabilities as well, including a significant weakness based on a default password.
Many people assume that two things protect the Raspberry Pi from attack. The first is that it's primary operating system is a variant of Linux. The next is that users tend to be knowledgeable enthusiasts. Unfortunately, neither provides protection when the default 'pi/raspberry' credentials are left in place for a user with admin privileges.
Once a Raspberry Pi left open to the Internet is discovered, default credentials and a simple 'sudo' will open the board up to the root level and be used as a powerful pivot point to the rest of the network. It's not enough for the Raspberry Pi user to add another account for admin work; the default credentials need to be changed before the system is attached to any network.
(Image: my boys.me via Adobe Stock)

Raspberry Pi

The Raspberry Pi is not sold as an enterprise computing platform. That's good, because it's definitely not such a platform. But institutional and enterprise networks have found themselves playing host to the diminutive single-board computers as employees have brought them in for a variety of purposes. And as employees have brought the computers, they've brought their vulnerabilities as well, including a significant weakness based on a default password.

Many people assume that two things protect the Raspberry Pi from attack. The first is that it's primary operating system is a variant of Linux. The next is that users tend to be knowledgeable enthusiasts. Unfortunately, neither provides protection when the default "pi/raspberry" credentials are left in place for a user with admin privileges.

Once a Raspberry Pi left open to the Internet is discovered, default credentials and a simple "sudo" will open the board up to the root level and be used as a powerful pivot point to the rest of the network. It's not enough for the Raspberry Pi user to add another account for admin work; the default credentials need to be changed before the system is attached to any network.

(Image: my boys.me via Adobe Stock)

Figure 5:MySQL
Default credentials are not a problem limited to hardware devices. Software and applications should have default credentials changed as well. One of the more serious of these is mySQL, which comes complete with no default password at all.
MySQL is used by embedded devices and network appliances, and it's a frequent back-end tool for web applications at small and midsize businesses. There are a host of very good reasons for its wide use, including a hefty feature list and a price tag that reads 'free.' But the overall cost of ownership can skyrocket if basic security issues aren't dealt with in the configuration process.
An easy Shodan search will reveal just how many instances of MySQL you have in your organization. Each one should be scanned for the default credentials -- and those credentials should be changed. Now.
(Image: maciek905 via Adobe Stock)

MySQL

Default credentials are not a problem limited to hardware devices. Software and applications should have default credentials changed as well. One of the more serious of these is mySQL, which comes complete with no default password at all.

MySQL is used by embedded devices and network appliances, and it's a frequent back-end tool for web applications at small and midsize businesses. There are a host of very good reasons for its wide use, including a hefty feature list and a price tag that reads "free." But the overall cost of ownership can skyrocket if basic security issues aren't dealt with in the configuration process.

An easy Shodan search will reveal just how many instances of MySQL you have in your organization. Each one should be scanned for the default credentials -- and those credentials should be changed. Now.

(Image: maciek905 via Adobe Stock)

Figure 6:SNMP Default Community String
Simple Network Management Protocol (SNMP) is a common standard for allowing monitoring systems to gather status data from network components. If SNMP were a one-way data path, bad default behavior might help an adversary with reconnaissance, but that would be it. Unfortunately for the security team, SNMP's potential goes much farther.
In the first two versions of SNMP (there are three), the only attempt at authentication was through a device called the 'community string.' A simple text string, the community string was enough to gain access to either read or read/write access to a network device. To make things even easier, tens of thousands of devices had default community strings of 'public,' 'private,' or 'write' -- defaults that were never changed.
If attackers gain read/write access through SNMP, they can not only learn the precise configuration of routers, switches, and other network devices but can change those configurations at will.
While the newest iteration of SNMP provides for stronger username/password authentication, there are still millions of network devices in the field with earlier SNMP versions installed. A survey of network devices and their SNMP community string should be a necessary (if very scary) part of your network readiness plan.
(Image: shane via Adobe Stock)

SNMP Default Community String

Simple Network Management Protocol (SNMP) is a common standard for allowing monitoring systems to gather status data from network components. If SNMP were a one-way data path, bad default behavior might help an adversary with reconnaissance, but that would be it. Unfortunately for the security team, SNMP's potential goes much farther.

In the first two versions of SNMP (there are three), the only attempt at authentication was through a device called the "community string." A simple text string, the community string was enough to gain access to either read or read/write access to a network device. To make things even easier, tens of thousands of devices had default community strings of "public," "private," or "write" -- defaults that were never changed.

If attackers gain read/write access through SNMP, they can not only learn the precise configuration of routers, switches, and other network devices but can change those configurations at will.

While the newest iteration of SNMP provides for stronger username/password authentication, there are still millions of network devices in the field with earlier SNMP versions installed. A survey of network devices and their SNMP community string should be a necessary (if very scary) part of your network readiness plan.

(Image: shane via Adobe Stock)

Figure 7:Any IoT Device
If your network includes Internet of Things devices installed prior to, let's say, July 1 of this year, you can reasonably make two assumptions about them. First, they have a username and password that were set by the vendor and are widely known. Second, that it is somewhere between difficult and impossible to change that username and password.
There are, of course, exceptions to these two assumptions, but these are the safest assumptions to make. And because the second assumption is that there's nothing you can do about the first, external protection is your only safe option.
Actually, external protection is the third step in the process. First, you should survey your network to find out just how many of these IoT devices are in your computing fleet. Next, you should try to find out what the default credentials are for each of the devices. Even if there's nothing a human should be able to change, knowing the login strings will help security analysts understand the aim of many attack probes.
Finally you should whitelist the legitimate ports and destination addresses for the devices. Be careful -- many IoT devices use ephemeral port assignments in a fairly broad range. Still, understanding what 'real' traffic looks like will help you keep a handle on the probes and attempted takeovers that are certain to hit your IoT devices on a frequent basis.
(Image: wladamir1804 via Adobe Stock)

Any IoT Device

If your network includes Internet of Things devices installed prior to, let's say, July 1 of this year, you can reasonably make two assumptions about them. First, they have a username and password that were set by the vendor and are widely known. Second, that it is somewhere between difficult and impossible to change that username and password.

There are, of course, exceptions to these two assumptions, but these are the safest assumptions to make. And because the second assumption is that there's nothing you can do about the first, external protection is your only safe option.

Actually, external protection is the third step in the process. First, you should survey your network to find out just how many of these IoT devices are in your computing fleet. Next, you should try to find out what the default credentials are for each of the devices. Even if there's nothing a human should be able to change, knowing the login strings will help security analysts understand the aim of many attack probes.

Finally you should whitelist the legitimate ports and destination addresses for the devices. Be careful -- many IoT devices use ephemeral port assignments in a fairly broad range. Still, understanding what "real" traffic looks like will help you keep a handle on the probes and attempted takeovers that are certain to hit your IoT devices on a frequent basis.

(Image: wladamir1804 via Adobe Stock)

About the Author(s)

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and ITWorld.com on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights