PCI-DSS is a pain in the backside. There: you think it, I said it. However, it’s also got some good stuff that’s not just useful for protecting card numbers, but general network security best practice. One example is the requirement that you change the default passwords and disable guest accounts on network devices. Sounds obvious, right? So how come there have been two stories just this week reminding us that weak passwords are still the main route in for hackers? Rapid7 looked at the standard passwords used by hackers when scanning for vulnerabilities, and Schneider Electric sent out a security bulletin reminding users of its door control system to change their default credentials. Door control. Weak passwords in a door control system is a lot like leaving the master key under the welcome mat. You’d think we’d got past that stage, wouldn’t you?
So today’s call to action is to ask your IT department to confirm that:
- They’ve changed the default passwords on all network connected devices
- They’ve disabled all guest accounts
- Wherever possible they have renamed or replaced the default administration account with an account with a less obvious name – or better, that they’re using individual administration accounts that can be traced back to each user.
When you’ve done that, why don’t you have a look at the PCI-DSS standard? If you’re not a techie, just ignore the gobbledegook and look at the policies and procedures they require. It’s a very focused standard – they don’t really care if you leak every piece of personally-identifiable information you hold about your customers, provided their credit card number isn’t included – but much of what it suggests has wider application, so it’s worth reading even if you don’t take credit cards.
A bigger picture 