Did failing to change a simple default password bring down Target?

Could Target have been breached by something as simple as failing to change the default vendor password on a piece of software?

According to security consultant Brian Krebs, Target failed to change the default system account (Best1_user) and password (BackupU$r) on a server that controlled other computers on the Target network (1).  Changing the default vendor password is fundamental.

Information technology administrator’s looking for a great framework for managing security can use the SANS Critical Security Controls.  When implemented correctly, each of these 20 controls help provide the defense in depth needed to secure the network.  In this instance, control number 12 specially states “Before deploying any new devices in a networked environment, change all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems to a difficult-to-guess value” (2).

Even with Target’s mighty foot print as one of America’s largest retailers; and no doubt millions of dollars spent on IT security, a basic oversight of failing to changing a default password may be what brings them down.

  1. http://arstechnica.com/security/2014/01/target-hackers-may-have-exploited-backdoor-in-widely-used-server-software/
  2. http://www.sans.org/critical-security-controls/control.php?id=12
Jonathan Shih

About Jonathan Shih

Having joined O'Connor & Drew, P.C. in January of 2014, Jonathan is an IT Auditor and currently finishing his graduate work in Information Assurance at Northeastern University, Boston Mass. He also recently passed his CISA exam.



Jonathan Shih
Author: Jonathan Shih
Having joined O'Connor & Drew, P.C. in January of 2014, Jonathan is an IT Auditor and currently finishing his graduate work in Information Assurance at Northeastern University, Boston Mass. He also recently passed his CISA exam.