306 CHAPTER 11 Common Pitfalls and Mistakes Default Accounts and Passwords The use of default accounts and passwords is common and dangerous. The initial stages of most attacks involve the enumeration of legitimate system and user identi- ties, a process that is necessary to determine vulnerabilities so that an exploit can be attempted (see Chapter 6, "Vulnerability and Risk Assessment"). If the username and password of a system are already known, the attacker--whether an outside entity or an internal user--can simply and easily authenticate, often with administra- tive privileges since most default accounts exist for the purpose of initial setup and configuration of other user accounts. Regardless of how secure the system is other- wise, the system is now highly vulnerable and at risk: security configurations can be altered to allow broader access, software can be installed, new accounts can be created, etc. In essence, the successful administrative login to any system is the end game of most hacking attempts. The use of default passwords, or to a lesser degree weak passwords, therefore is a primary concern. A quick search on the web will provide most default passwords, as well as sites that specifically track and document default credentials, making them easy to obtain. 4 However, these default password lists can be used for benevo- lent intent as well. The solution is simple: disable all default accounts where possi- ble, and require unique user accounts with strong credentials. Unfortunately, unless the device in question enforces strong password controls, it is difficult to ensure that all unique user accounts will use strong passwords. Luckily, both default and weak passwords are easy to detect. By using these sources the same way a hacker would, it is possible to define a blacklist of known default passwords, which can then be used by various security products to detect when a default pass- word is in use. Weak passwords can also be easily detected, using regular expres- sions. For example, the following regular expression checks for a password that is a minimum of eight characters, with at least one uppercase letter, one lowercase letter, and one number. 5 ^(?.{8,})(?.*\d)(?.*[a-z])(?.*[A-Z])(?!.*\s).*$ Applied as a detection signature, the following might be used to detect either weak passwords or default passwords: ((password ! /^(?.{8,})(?.*\d)(?.*[a-z])(?.*[A-Z]) (?!.*\s).*$/) || (password $defaultPasswords)) Whatever measures are taken to eliminate default passwords and enforce strong password use, establishing unique and strongly authenticated accounts is one of the most basic and necessary steps in securing any network. Lack of Outbound Security and Monitoring It is easy to think of an "attack" as an inbound event: someone is attempting to break into the industrial network from "the outside." However, as shown in Chapter 7, "Establishing Secure Enclaves," there are many access control points to consider, and the "outside" of one enclave may be the "inside" of another. In addition, there