Sometimes organizations have legitimate reasons to opt against patching their systems.
Many industrial applications still in use were written for older operating systems. These may not function on current versions or after patches are applied.
Computers onboard commercial shipping vessels or in manufacturing plants are notorious examples.
However, if those devices are properly isolated by geography (middle of the ocean) or technically (isolated network), then an organization might justify the risk to cybersecurity.
Still, many organizations take unnecessary risks that could easily be eliminated.
Let’s break them down.
Shared Passwords Are a Recipe for Disaster
In a recent real-world example, one compliance executive tried justifying the use of the same password on nearly every computer in their office, with the exceptions being the computers used for compliance, accounting, and the CEO.
As a compliance officer, this executive needed access to every computer, claiming that users only logged into their computers as a dummy terminal to access a third-party vendor. In theory, no regulated data should exist on the endpoint computer.
This practice directly violates both regulation of access and basic cybersecurity standards.
Unfortunately, this executive had such an overwhelming desire to make it easy for their needs, they intentionally ignored the threat.
However, this particular desire could easily be solved in a secure way.
Assessing the Hazards & Vulnerabilities
Begin with a quick overview of the cybersecurity issues involved.
If computers share the same password, once a malicious actor has access to one, then they essentially have access to all.
If a computer is completely isolated from the rest of the network, then an attacker may be limited in their ability to navigate to other machines remotely.
In this scenario, was that the case? No— all of the machines were on a single network.
If the users had extremely locked-down privileges, then the users may not be able to attach USB drives, install software or download data.
Was that the case? No—the users had broad permissions.
If the organization monitored for the installation of hacking tools, such as keyloggers or network traffic sniffers, then perhaps a hacker’s presence could be easily detected and stopped.
Was that the case? You probably guessed the answer – no.
Even if the compliance officer’s assumption was correct, and there was no data on the endpoint computer, they were still wrong about not needing to secure the endpoint.
Without any of the three simple cybersecurity defenses mentioned above, a malicious actor could easily gain access to one computer and navigate to any other computer on the network.
From there, they could install hacking tools to capture user credentials for the third-party software, and start working to attack the other three computers on the network that did not have shared passwords.
Perhaps the executive assumed that no one would guess that all the machines shared a password?
Unfortunately, hackers don’t bother to guess…they simply try credential stuffing programs while letting software do the hard work.
A Simple Solution Without the Risk
How could this be avoided?
A directory access protocol, such as Microsoft’s Active Directory, can be configured with minimal costs to securely resolve the problem.
Each employee would have completely unique credentials and also have access to any machine in the network.
To protect the three special computers in the office (compliance, accounting, CEO), other users could be blocked or given restrictive access to the machines.
The executives could be given a higher level of access so that they can also see the lower-permission user’s information as part of their permission set.
The executive could have their access without compromising the organization’s cybersecurity.
The simplicity and ease with which an effective solution can be deployed further highlights the risk to an organization.
In nearly every breach, investigators will find fault in simple solutions that were actively ignored.
Talk to an Expert
Not all vulnerabilities are so easy to solve.
Legacy medical devices may be hard-coded with the same username and credential for all devices. Budget constraints may mean healthcare organizations are unable to afford replacements.
Here, a simple fix does not apply and extra effort must be performed at the network level to provide cybersecurity.
Network segmentation, virtualized devices, SDWAN, and other technologies can be applied to create solutions that protect unaddressed vulnerabilities in a safe, secure, and compliant manner.
Answers start with open communication between IT experts and business management to ensure solutions that match business needs with available budget. Contact us Ideal Integrations at 412-349-6680 or fill out the form below.
Our IT experts will help your organization stay safe and secure, 24/7/365!