Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

18) Do all systems (such as network devices) have their default credentials changed on installation or provision?

August 30, 2022
IT Operations
Default Credentials
Small Framework

Answer yes if all of your organisation's IT systems (network devices and user accounts for services) have their default credentials changed on installation or provision.

Default authentication credentials (usernames and passwords) are often well known, easily discoverable, and present a significant security risk to your organisation.

Vendors typically use default credentials on stock devices to allow buyers of the devices to be able to access the management console and configure the device for their particular environment. These default credentials are typically the same (or calculated using a predictable algorithm) across a vendors range of products, and therefore if the default credentials are left on the device they can easily be accessed by a malicious actor.

It is therefore important that these default credentials are changed for all network devices and user accounts within your IT estate. As the hardware and software you use changes over time, your IT security policy should include steps in your installation or provisioning process to change the passwords of any default accounts and, if the default accounts are no longer required after initial configuration, to disable those accounts. This should be a defined step within each of your configuration checklists.

How to implement the control

Your IT team need to ensure that all of your network based devices and user accounts have had their default credentials changed on installation or provisioning. This is typically done as a defined step in your configuration process, or by enforcing any software based services to request the user changes their password on first login.

Cyber Essentials has some good advice on secure configuration that can be found here.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.