Here are a couple of examples of a problem that I have seen many times: Company X has no experience with storage area networks, but due to ever expanding need for disk space, they buy one. Since they have no one that understands the intricacies of SANs, and the vendor insists on performing the install anyway, the vendor installs the system. Typically, vendors leave it to the customer to set user IDs and passwords on the systems that the install. The customer rarely follows up with that, and the result is a mission critical device with default factory credentials. I have seen this exact scenario played out many times on very critical systems. A malicious person could destroy LUNs, erase data, and cause all kinds of problems.

The same scenario applies to uninterruptible power supply systems. Not long ago we were assessing a large government entity that has spared no expense on IT security they had one of the most secure systems I have ever seen. A few months prior to our assessment, they had a contractor replace all of their UPS systems, including the ones that ran all of their critical servers in their main computer facility. The contractor had connected these UPS systems to the network so that they could be remotely administered and monitored. I have a screenshot on the report to the customer showing us logged into the web interface (with admin rights using the out-of-the-box credentials) and the mouse cursor hovering over the SHUTDOWN button. That got their attention.

The solution? 1. Perform regular port scans for web servers/interfaces. 2. If the web interface is unnecessary, shut down the service. 3. If it is needed: - Change the credentials - Use https if at all possible - Limit access to the interface to only authorized admin workstations - Add firewall restrictions - Monitor logs

User access to production systems: Limiting accounts, stronger password protocol heightens security