Requirement 2 of the PCI DSS states that organizations cannot use vendor-supplied defaults for system passwords and other security parameters. Devices like wireless routers or Point-of-Sale systems often come straight from the factory with default usernames and passwords. Individuals with malicious intent or criminal hackers will often attempt to use these vendor defaults in order to easily access and compromise an organization’s environment or search for sensitive information. A quick Google search can reveal the default root password for many popular applications and devices, and standard configuration settings are widely shared by hacker communities online.
Before any systems (e.g., operating systems, software, applications, point of sale terminals, etc.) are installed within your organization’s network, ensure the default passwords have been changed. Just last month, a flaw was discovered in Apple’s latest macOS “High Sierra” that allowed anyone with access to the system to login as the root user without supplying a password. All users needed to do to protect their systems was change the root account password, something that should have already been done if they were following the PCI DSS guidelines.
In September, in the aftermath of the massive Equifax breach, researchers discovered that accounts on Equifax’s South American site were accessible by the same generic username and password: “admin”. Using the administrative access, the researchers were able to access personal employee information, including names, e-mails, and Social Security Number equivalents of over 100 individuals. And the list does not end there. In fact, according to the Verizon Data Investigations Report, nearly two thirds of confirmed data breaches are related to password issues.
Review your internal policies and procedures for installing new systems to ensure that changing the vendor-supplied defaults is a clearly defined step within the implementation process. You can also interview personnel within your merchant areas to confirm they are updating all system defaults before anything is connected to the network. As part of your annual risk assessment, review vendor documentation and check your systems to verify the defaults have been removed or updated. An annual penetration test should also be checking for the use of vendor-supplied defaults and revealing if any systems within your CDE (or campus-wide network) are at risk.
Follow the PCI SSC requirements for changing passwords every 90 days and also verify that your passwords are meeting the complexity requirements (contain at least 7 characters including numeric and alphabetic characters). The organization’s annual security awareness training should also discuss requirements for password security and share policies surrounding password management.
Please contact email@example.com if you have questions about your password security policies or if you would like to discuss scheduling your annual penetration test to verify all vendor default have been updated.
Some additional guidance from our Security Advisor team below:
[Wallace]: Ensure that all default accounts have a strong, unique password. If the system allows, and provides the means to do so, consider disabling the default account and using new accounts for all users. Using non-default user ids will make it even more difficult for a malicious individual to guess valid credentials. If your system logs authentication attempts, you can monitor for any attempted use of the default account, and be alerted to an attacker’s presence quickly.