We’ve all done it, at least once. Some of us maybe more than a couple of times, and I know there’s few that are repeat offenders. You know what I’m talking about – the bane of the security admin’s existence – default passwords.
Those are the usernames and passwords that come with every device. Even in this day and age, most systems don’t REQUIRE you to change the credentials that get you system admin rights. The bad guys know that and use it to their advantage.
When most of our business and personal systems are protected with just a name and a basic password (and maybe a trusted network range?), that’s pretty easy pickings for someone with a brute force tool or a sniffer to find out your secrets. And once the bad guys have your credentials, then what? Well after that is when the real dangers begin.
When’s the last time you changed your voicemail PIN from 0000? Perhaps your home router is still admin/password even though the FBI issued a warning for everyone to change it? And how many ERP users keep system admin “manager” around with the default password of… you guessed it. And those accounts open the door wide to anyone wanting to get in; good and bad.
If you have systems exposed to the bad guys (and we all do!) then this post is for you. STOP IT! Even if you told me “Well, none of those systems are internet exposed”, I’d ask “where are the bad actors in your network?”. If you said “outside the firewall”, I’d respond with something like “I dare you to create a share/folder called “payroll” and see how long some curious netizen (aka employee) fell into that folder looking for something juicy.
Imagine splaying your entire infrastructure wide open to someone who just happened to know that Netgear uses admin/password for all their routers? Or that your company name is NOT a good password?
So what’s a concerned system admin gonna do? It’s easy in theory and hard in practice. Here are some digital security tips that will create a stronger password security strategy:
1. Change the default username and change the default password.
2. Start using stronger passwords, not P@ssw0rd. We recommend pass phrases, or a sentence that you can remember but the bag guys will have a hard time guessing.
3. Enable account lockout so that if “x” bad passwords are guessed in a row, the account is locked FOREVER (not reset after 10 minutes, thank you Microsoft). Helpdesk notification of such a lockout will put you in the know.
4. Remove admin credentials from being used on untrusted networks. Yes, your users are untrusted! Create a management VLAN, or a specific set of IP’s that can RDP, or shutdown the access from outside devices altogether.
5. Enable multi-factor authentication. This can easily be enabled in Office 365 and Active Directory, and if your devices leverage that directory then they automatically get that 2FA protection as well.
6. Hack yourself! Run a network scanner, or hire an outsourced IT firm to investigate for you, find the unsecured devices and fix them before the bad guys do.
7. Let us help you! We can run an ethical scan IT Assessment Detective scan of your systems, attempt to break into your systems, and give you a full reporting of your IT weaknesses. As “they say” knowledge is power.
So, don’t let your next phone call to the EstesGroup be “help me, I got hacked!” And let our managed IT services company help you run your business better with a strong password security strategy – before the bad guys teach you a lesson.
Interested in Outsourcing your IT? Or have a question on data security? Ask us, we would love to chat.
A colleague recently recounted a story to me from his own past. It had to do with a failing business. The company had numerous issues, in the areas of acquisition and execution, of revenue and of profit. The issues had gotten so out of hand that the company was on the verge of closing its operations entirely. In a last ditch effort to turn the company around, the company’s president initiated a series of process-improvement projects. The hope was that the results of these projects would provide the necessary impetus to pull the company out of its tailspin and provide a foundation for its revitalization. Moreover, the president had democratically distributed the projects across the organization–one for each department. As we all know, projects consume resources, and not all of the selected projects were of the same potential impact to the company. As such, lower-impact projects ended up pulling away resources from some of the mission-critical areas of the business, areas that had been suffering the most. Ironically, the attempted intervention had made things worse.
In one telling instance, the HR department had been tasked with implementing a new HR management system. The HR and IT staff dutifully went through the implementation cycle, soliciting requirements, selecting software, configuring the application and converting data. Leads, supervisors, and managers spent their free time logging employee metadata into the new system. And all of this occurred while the company missed shipments, struggled with quality issues, and scrambled to get new orders, while key employees fled to their competitors. The HR department rolled out its new system shortly before the announcement that the company’s assets were being dissolved. While the company overall was a disaster, the HR project was a ringing success, and when it came time to terminate the company’s staff, they were able to use the new HR system to efficiently and effectively carry the task through to its macabre conclusion.
That is, the HR department had won the proverbial shuffleboard game on the deck of the Titanic.
In my own career, I’ve encountered a few folks who were winning deck games on a sinking ship. And like my friend’s story, the game they were winning had nothing to do with the water that the ship was taking on. This seems to be a common failing business mistake, in general. During good times or bad, failing businesses more often focus their efforts on the wrong areas, and because of this, the efforts of their best employees go underutilized. Failing businesses also make the mistake of democratic project selection. Instead of business planning strategies involving a hard analysis of the key pain points in the business, management adopts generic strategies that try to support the general betterment of the company, while in truth, they are diluting their efforts with low-impact initiatives. Other times, failing companies exhibit the tendency to chase random rabbits down their burrows, mistaking the thrill of the chase for the value of the bounty. Quite often the least successful companies are also the nicest–they avert stepping on toes and pointing out obvious issues. Had they been on the Titanic, they would have been the ones to reclassify the iceberg as an upright collection of water molecules, the gaping breech in the hull as an additional sprinkler system, and would have continued with their polite game on the upper deck while the water levels rose.
In looking back at these situations, it is hard not to see this as a failure of leadership. The leaders of the company are the ones who truly have the ability to steer a company in one direction or another. Often, the direction is as simple as the projects that the company chooses to execute over a given year. But the projects selected quite often serve to have the most impact on the company’s ultimate destination.
But one might ask just what kind of business planning strategies separate leaders who safely pull their ships into harbor from the ones that send them to Davy Jones’ locker. While there are probably a number of reasonable answers to the above question, I would contend that the most successful managers from my own past were buoyant due, among other things, to their knowledge of their industry. The best managers obsess about the workings of their business, and the industry in which it resides, and base their business planning strategies and a vast and well-integrated understating of the dynamics of the environment in which their company competes.
To put it simply, there is no replacement for domain-knowledge. The best leaders I have worked with understand this principle. No leader is an expert in all areas, but when good leaders assume leadership of a company, they immediately dive into a phase of learning–about the business, its culture, its business climate, the market conditions, and whatever additional factors are required to allow the leader to be able to make good decisions. And once this knowledge has been amassed, the leaders go about applying their knowledge to their business planning strategies. They make an honest assessment of the company, its opportunities, and its issues. And in response, they make decisions that drive how the company’s limited resources are to be sequestered, to address issues or take advantage of opportunities.
And their decisions tend to be the better ones. Far away from the shuffleboard deck, they are at the helm, altering course to avoid the bergs and burglars that would threaten their business. The worst managers I’ve encountered take the opposite approach–they tout the importance of surrounding themselves with good people, while they themselves are often missing in action, preferring instead to galivant about town, wining and dining the city’s elite, seeking to impress, when they should be impressive, seeking to woo when they should be working. While I certainly do not question the importance of a manager building a first-rate team, it takes leadership and involvement to collect, engage, and focus the individual talent in the right direction. And the inability to make good directional decisions, to guide these good people, generally results from the leaders’ inadequate preparation and/or dedication to his or her craft.
To return to the title of this post–if the captain of the ship is wasting his time winning games of shuffleboard, the crew will flounder, and ultimately, the ship will founder. So contact the EstesGroup today, and take advantage of our business process review, management, and improvement services.