- January 31, 2014
- Posted by: Jonathan Shih
- Category: IT Audit & Security
Could Target have been breached by something as simple as failing to change the default vendor password on a piece of software?
According to security consultant Brian Krebs, Target failed to change the default system account (Best1_user) and password (BackupU$r) on a server that controlled other computers on the Target network (1). Changing the default vendor password is fundamental.
Information technology administrator’s looking for a great framework for managing security can use the SANS Critical Security Controls. When implemented correctly, each of these 20 controls help provide the defense in depth needed to secure the network. In this instance, control number 12 specially states “Before deploying any new devices in a networked environment, change all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems to a difficult-to-guess value” (2).
Even with Target’s mighty foot print as one of America’s largest retailers; and no doubt millions of dollars spent on IT security, a basic oversight of failing to changing a default password may be what brings them down.