Spohn & Associates | Blog | Austin, Dallas, DFW, Houston, San Antonio, Washington D.C.

Spohn & Associates Blog

Who watches the watchers?

Who is logging in to watch the systems that watch your systems?

Nothing happens on your network or around your building that you don’t know about. You have state-of-the-art network monitoring. You have Intruder Protection Systems scanning packets as they dart across the wire (or wireless). Cameras and DVD recorders track motions around your entrances. And the best part, you report, is that the data is instantly accessible online so your security personnel and network managers always know what is going on.

As do the hackers and criminals who are also tuning into your monitoring systems….

When I perform network security assessments, I always get a small thrill when I come across the website for a security camera, a network monitoring program, or – best of all – the control interface for HVAC, lighting, and building security. It is genuinely fun, I have to admit, to test out a few logins, and find out that the “guest” account is still enabled and I can see all your routers, download device information and create a nice map of your network. But even better when the vendor or developer has left the “test” account enabled. Now I am logged in as “test.” (it didn’t take long to guess the password. What do you think it was?). I don’t have full super-user control, but I can turn off the lights in the school gymnasium. Wow. If only I had this power when I was in high school. Of course, one of the students at the high school will probably figure this out too.

Yes, web management consoles are wonderful things. Make sure yours is fully secured. It should be accessible to only specific IP addresses. It should require a secure SSL login (over HTTPS not HTTP). Why not also use two-factor authentication? (It can’t hurt, and your network manager gets to carry around an RSA password device, which is just plain cool.) Disable all the default accounts, like “guest.” Disable test accounts. Check every existing account that has access to the controls for your network, security and infrastructure. Who is logging in to watch the systems that watch your systems?

Oh yeah, and the password for the “test” account was… “test.”