It’s true that it’s easiest and most convenient to start using new devices or software with their default settings. But it’s not the most secure, not by a long shot. Accepting the default configuration without reviewing what it actually is could be dangerous to your company’s confidential information.
The default settings are predetermined by the manufacturer and basically put usability before all else. In the case of a router, for example, this could be a predefined password, or in the case of an OS it could be the applications that come preinstalled. The primary concern is for the ease of use when getting started with a new product, without having to perform the configuration yourself. With three or four clicks, you’re ready to enjoy the use of your new device and are probably barely aware of having accepted the default settings.
The problem is, in many cases, the default passwords for a slew of devices (everything from routers to POS terminals) are easy to find on forums and other easy-to-find places on the internet. Case in point, one POS manufacturer used the same password for 25 years: 166816. The credential was easy to find with a simple Google search. Any business that failed to change the password was unwittingly exposing themselves and their clients to cyberattacks.
And money isn’t the only thing at stake. We need look no further than the our own company’s wifi network to witness serious potential danger, namely that the default credentials it comes with could be easily compromised. The danger is that someone from outside could connect the corporate network and even make internal changes, possibly even locking the owners out of it. It wouldn’t take an evil genius. If your device’s default configuration hasn’t been change, all it would take is someone with some basic technical skills and access to the Internet.
More than a password change
Any IT department in any corporate environment should be aware that changing the default sittings isn’t just about changing the password. In fact, the best thing would be to personally configure all operating systems from the beginning to increase their security.
It should be up to the company, for example, which applications and programs will be installed on the devices that employees will use, removing or adding options from the predefined ones, thus avoiding any software that is not going to be used. Such software, it should be said, could also end up being an added vulnerability. If at some point the program stops receiving security updates, it could actually become a gateway for cybercriminals. If it is unnecessary, might as well get rid of it and save yourself from future hassles.
In short, any configuration that comes straight from the factory can pose a short- or medium- term risk for companies. The best thing to do is to create a customized configuration with which security and protection against possible attacks remains in the hands of the company’s IT experts.
The post Default Settings, and Why the Initial Configuration is not the Most Secure appeared first on Panda Security Mediacenter.