Default Security Settings, What Needs to Change?
Today, news agencies and outlets are reporting Information Technology (IT) breaches and loss of protected data at alarming rates. The centerpiece of these breaches, after months of forensic analysis, has been a lack of following IT industry accepted security best practices. Should manufacturers of IT products, both software, and hardware, follow these industry best practices by releasing secure products? Manufacturers need to start designing security in their products from the beginning of the development cycle and not as an afterthought. There are too many products with default security installations that are not secure, leaving those products prone to attack by hackers, misuse of personal data and loss of financial resources.
The current IT market is leading to an increase of Internet of Things (IoT), these are small devices that can control or interact with their environment and include devices from stoves, toothbrushes, thermostats, light bulbs and many more. These devices all contain an operating system of some degree to provide the functionality of the device. However, these systems ship with default settings to allow them to easily connect to the network infrastructure. This is where the problem starts, most of these devices have limited security or no security settings available to secure them from compromise. Recently, hackers managed to a steal a casinos high-roller database by connecting to an IoT fish tank thermostat, that had limited, or no security configured. Once they connected to the device they used the thermostats network connection to further infiltrate the network, until they managed to locate a prized resource, in this case, the database of high-rollers (Miley, 2018).
More and more devices are being designed with internet connectivity to provide additional functionality, reporting, and monitoring capabilities. Although these devices are becoming more integrated into everyday use, many also provide life-saving functions. A recent article by Information Age (Grimm, 2017), addressed the need for security to be addressed from the beginning of the design cycle of these products and not as an afterthought. It highlights the need of securing these devices from the beginning of the design process, as once deployed it is extremely difficult to implement security, to change, update or apply patches to decrease the vulnerabilities that could allow breaches. The article also outlined that approximately half a million patients were urged to visit their doctors to get firmware updates for their pacemakers due to security vulnerabilities, that could have lead to loss of life. Experts are forecasting that growth of IoT devices could reach as high as 30 billion devices in the next few years. There is a growing shift in the consumer marketplace to implement devices that, at least contain some basic security to help decrease the potential use of these devices in cyber-attacks this shift is being led by the consumer of the product and not the manufacturer. These vendors can incorporate some basic settings to prevent them from being exploited, depending on the device, such as connectivity limits to sites on the internet, enforcement of changing the default password as part of the deployment process to list but a few. This will help to secure and prevent the compromise of those devices from hackers.
Companies and home users alike, need to follow IT accepted best practices when deploying connected hardware or software in their networks. The basic settings need to be changed from the defaults like the administrative account password or the deployment of and maintaining vendor-released patches in a timely manner. Changing the name of the Service Set Identifier (SSID), and not to broadcast the name of wireless networks, limiting the connections to only listed devices, and the need to authentication using security certificates or centrally managed user and device accounts. 143 million financial records of United States, Canadian and British citizens were compromised. These records contained Personal Identifiable Information (PII), such as Name, Address, Social Security numbers, and Birth dates. This information can then be used to steal the identity of those individuals, open financial accounts, use existing credit cards for fraudulent purchases to list a few. This breach occurred because the financial reporting company Equifax failed to apply a vendor-released patch in a timely manner (Popken, 2017). This breach was not a single isolated event either, the results of the breach investigation also noted that a website, that should have been accessible to employees of the company on an internal site, was hosted on the public internet. This site is used to view, dispute and verify, the information contained in the individual credit reports, was secured with a default user account and password combination of “admin/admin” (Franck, 2017). Had Equifax followed IT best practices of applying vendor-released patches and securing website access, the breach and loss of data records would have been greatly reduced.
In the home users market, vendors ship hardware products with default settings, this allows for easy deployment from third-party technicians. The technicians that implement these devices, such as Wi-Fi routers, routinely have the defaults still applied after being installed in the consumers’ location. Some of these can allow attackers to compromise the home users network and expose PII or other confidential information. The default installation settings are not that difficult to figure out, access to the Internet and a search engine and those settings are revealed (Whitney, 2016). There are many sites that contain a database of hardware devices default configuration settings, accounts, and passwords. Some hardware manufacturers even host a site that allows an individual to see what specific settings are available on those devices, Linksys hosts a site that simulates all their devices (Linksys, 2017). Corporations and home users need to follow IT best practices and security settings when deploying IT devices in the network and changing those settings from the defaults, including vendor patch management. This will assist in decreasing the potential amount of breaches and data loss overall.
The loss of economic resources can be both great and difficult to calculate. The credit card industry faces many challenges, those challenges can be breaches from both being the issuing entity of the credit card or the processor of the transactions on behalf of the merchant or individual user. The cost of breaches can be significant and can range from less than a dollar to more than a few hundred dollars per record, all depending on the type of record compromised. Leading security experts outline the need for understanding, following, and implementing IT security best practices to help mitigate the impact of data breaches. The economic impact from a breach can be difficult to measure as the loss of financial resources to both the affected company and the individual that had their information used in a fraudulent manner can be numerous and ongoing. The current US credit card industry works in a four-party or three-party network for processing the credit card transactions. This model outlines the basic relationship with the credit card brand, the issuer bank, the consumer, the acquirer bank, and the merchant (Opderbeck, 2016, volume 75, number 4).
In which at any point in the transaction there is a potential for a data breach and economic loss. The merchant relies on both the issuer and acquirer banks for processing and transferring the funds in a secure manner. PCI DSS is a standard that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB) to ensure that all companies that accept, process, store and transmit credit card information maintain a secure environment (PCI Compliance Guide , 2018). The penalties for non-compliance of the PCI DSS on an acquiring back can range from $5,000 to $100,000 per month of PCI compliance violation. The PCI DSS defines who each entity in the transactions are and the responsibility to secure the processing of data by each. The remaining entity that possesses another considerable risk, is the individual issued card itself. The card is typically used in a swipe card reader, this reads the card’s information that is stored on the magnetic stripe on the backside of the card, such as account information, expiration date, and full name. Since this information is stored in a magnetic stripe it can be easily copied by use of a skimmer. A skimmer is a device that resembles both the card slot and the keypad at credit card use locations like ATMs, gas station pumps and Point of Sale terminals. These skimmers record the magnetic stripe information and the associated pin, via the keypad (Krebs, 2018). The threat actors can then take that information and apply it to bogus cards that just contain a magnetic stripe and use it as if it were a normally issued card. The credit card corporations can follow the PCI DSS standard and be compliant and yet still fall victim to economic loss due to a failure at the individual card level. The challenges to credit card corporations and the economic loss can be great, this makes it difficult to calculate the total loss.
As news agencies and news outlets continue to report on IT breaches and loss of protected data, corporations and users need to start following IT security best practices and securing the data and the devices being used. Manufactures of IT products, both software, and hardware, need to start adhering to industry best practices by releasing products already in a secured state. This will make it more difficult for hackers to attack and compromise devices, limit the misuse of personal data and a reduction in economic loss.
Franck, T. (2017, September 14). Equifax used the word 'admin' for the login and password of a database. Retrieved from CNBC: https://www.cnbc.com/2017/09/14/equifax-used-admin-for-the-login-and-password-of-a-non-us-database.html
Grimm, J. (2017, December 13). The Future of the 'Internet of Things' Security Issues. Retrieved from Information Age: http://www.information-age.com/future-internet-things-security-issues-123470014/
Krebs, B. (2018). All About Skimmers. Retrieved from KrebsonSecurity: https://krebsonsecurity.com/all-about-skimmers/
Linksys. (2017). All UI Simulators. Retrieved from Linksys: http://ui.linksys.com/
Miley, J. (2018, 04 16). A Casino's Database was Hacked through a Smart Fish Tank Thermometer. Retrieved from Interesting Engineering: https://interestingengineering.com/a-casinos-database-was-hacked-through-a-smart-fish-tank-thermometer
Opderbeck, D. W. (2016, volume 75, number 4). CYBERSECURITY, DATA BREACHES, AND THE ECONOMIC LOSS DOCTRINE IN THE PAYMENT CARD INDUSTRY. Maryland Law Review, p935-983.
PCI Compliance Guide. (2018). PCI FAQs. Retrieved from PCI Compliance Guide Org: https://www.pcicomplianceguide.org/faq/
Popken, B. (2017, September 14). Equifax Hackers Exploited Months-Old Flaw. Retrieved from NBC News: https://www.nbcnews.com/business/consumer/how-did-equifax-hack-even-happen-n801331
Whitney, L. (2016, September). How to Access Your Wi-Fi Router's Settings. PC Magazine, pp. 139-142.