Information Assurance (IA) is not an easy. Attackers continually find new and innovative ways to attack our systems and bypass the security controls that we have put in place. We put elaborate controls in place to ensure that any attacker will at least have to work in order to get into our systems only to have all of our time and effort wasted because of a default password. While default passwords are a problem for both network devices (routers, switches, firewalls, etc.) and systems, I am reserving this rant specifically for the Net Techs and the network devices that they are responsible for.
As part of each unit integrating themselves into the 52ID (NTC Operations Group) network, we review some of their router configurations. Almost always there is a default username included in those configs and more often than not, there is a well-known password hash associated with that username. What does that mean? The Net Tech never took the simple step of changing the default username/password that came with his initial configurations. This is a HUGE breach of security! For OPSEC reasons I will not include any of these default usernames or passwords in this post (we all already know what they are anyway) but if you think that the enemy has no idea what it is, a simple Google search will show it included in an Army FM among other documents.
On occasion, I will find a Net Tech who has taken the time to change the username/password on their routers only to look a little deep and still find the default combinations on their switches, firewalls, laptops, etc. The thing to remember is that any one of these devices can provide an attacker with the foothold into your network that they need in order to expand it into an area that can cause some serious issues.
So what do we do? Well, first as an absolute minimum, get rid of ALL default username/passwords across your entire network. This includes routers, switches (even the ones that aren’t in the JNN/CPN), firewalls, KVM, Call Manager, etc. Is it enough to just change the password? Well it is definitely better than nothing (assuming you change it to a strong password) but it is still much better to change the username also (this leaves an attacker having to figure out two things, and not just one).
In a perfect world, we would implement TACACS+ (Terminal Access Controller Access-Control System Plus) on all of our network devices to allow for individual logins and logging. When I was a BCT Net Tech, Cisco Access Control System (ACS) was included on the JNN management systems which included a TACACS+ server. Unfortunately, somewhere along the way this was pulled off. Another option is to implement RADIUS (Remote Authentication Dial In User Service) which allows users to authenticate against active directory when logging into a network device. While this is a pretty good option for authentication, it does nothing to help us with command authorization or logging (something that TACACS+ both allow).
The final option is to use a local username/password which can present a huge management problem. For ultimate security each user would have their own username/password on every network device but that would be nearly impossible to manage effectively. What I personally recommend is that you have a universal NETOPS username/password which is standard across all network devices and is known only to key members of the Brigade NETOPS cell. From there, a unique operator username/password is given for each node (so that the operator can login to the devices for their JNN/CPN but not another units). While this isn’t a perfect solution, it is definitely a hell of a lot better than the default username/password that I frequently see.
I’ve got a closet full of systems that hasn’t been touched in a minute and am tasked with bringing them up with no documentation. Here’s hoping those defaults work.