There are several reasons why you need to rotate the factory-supplied credentials for your tech, and we are going to go into the most common reasons here.
Changing manufacturer and developer-supplied passwords are considered a best practice. In addition to being a best practice, this is also a requirement in many compliance frameworks like PCI (PCI requirement 2.1, to be exact). The PCI Standards council even has a handy PDF that goes over all this.
Change Manufacturer Passwords Because Hackers Are Lazy
As I have mentioned in previous posts – hackers are lazy. Their reconnaissance phase, as well as the initial attack phase, are scripted processes, so they can compromise as many hosts as possible at scale. If a hacker sweeps your network and discovers you have a Fortigate 70F firewall, they could script into their attack. The default credentials, they can find using a google search. It used to be admin/fortinet – but now those accounts shop as user: admin password: <no password>. Make sure you change this to a strong password and rotate it on a regular basis.
Don’t give hackers an easy win. Sometimes the best strategy is to slow them down; this will keep casual hackers from wandering into your network.
Education Is A Case Study In Insider Threats
Kids will do anything to circumvent content filters and cause all order of digital mischief. Some of the most austere environments for IT assets are schools. Kids can quickly figure out what you are running and google the default credentials for those items. We have some clients in education, and security is a constant arms race as kids find ways around common security measures. Ensure every device on your school’s network has a strong password rotated regularly.
Cyber Insurance Is Picky About Paying Claims
Cyber insurance companies are like car insurance companies. You are betting that you won’t get into an accident (or get hacked); if you do, someone will cover your damages. Insurance companies don’t make money paying out claims; they make it by collecting premiums. Paying out as few claims as possible is in their best interest. Not unlike a car accident – when you get hacked, they send out an adjuster. That adjuster has an audit toolkit and a 100+ item checklist that they go through. If anything in the kill chain, or the network as a whole, is running default credentials, they have substantial grounds to argue in court that they don’t need to pay out your claim. This can be a double whammy because if the breach triggered a lawsuit by users or people for whom you were trusted to keep their information safe, you could be found liable in court. So not only is your cyber insurance not paying out damages, you need to reach into your own pockets to satisfy and damages incurred by users of your network or service.