CISA to manufacturers: Eliminate default passwords, boost security.

December 18, 2023
1 min read
  • The US Cybersecurity and Infrastructure Security Agency (CISA) has urged manufacturers to cease using default passwords on internet-connected systems due to the high security risks they present.
  • CISA highlighted a recent incident where Iranian threat actors tied to the Islamic Revolutionary Guard Corps exploited devices using default passwords to gain access to vital US infrastructure systems.
  • The agency recommends adopting secure by design principles, including providing unique setup passwords or disabling default ones after a certain time, alongside enabling phishing-resistant multi-factor authentication methods.

Default passwords, typically publicly documented and often identical across a company’s product range, are easily exploitable. Threat actors can use tools like Shodan to scan for devices exposed on the internet and breach them using these default passwords. This often results in gaining administrative privileges. Overcoming these vulnerabilities involves manufacturers adopting the secure by design principles suggested by CISA, such as providing unique setup passwords for each product or disabling default passwords after a certain period.

Additionally, by using multi-factor authentication methods, users can help protect themselves against phishing and other types of cyberattacks. Manufacturers are also advised to conduct field tests to understand how their products are deployed by consumers and identify potential unsafe mechanisms. Addressing this disparity between developer expectations and actual consumer usage is key for ensuring that secure practices are also the most straightforward.

In another alert, CISA, alongside the FBI, NSA, Poland’s Military Counterintelligence Service, CERT Polska, and the UK’s National Cyber Security Centre, have issued warnings about Russian Foreign Intelligence Service-affiliated actors exploiting CVE-2023-42793 at scale. This has been targeting servers hosting JetBrains TeamCity software from as early as September 2023. The NSA, Office of the Director of National Intelligence, and CISA have jointly published recommended practices for enhancing the security of software supply chains and the management processes of open-source software.

As a concluding input, Aeva Black, CISA Open Source Software Security Lead, suggests that “Organisations that do not follow a consistent and secure-by-design management practice for the open source software they utilise are more likely to become vulnerable to known exploits in open source packages and encounter more difficulty when reacting to an incident.” CISA, through collaborating with NSA, ODNI, and industry partners, hopes that their guide helps organisations improve the safety and security of their open source software management practices.

Latest from Blog

Top CISA official looks back on four years of cyber work

TLDR: Eric Goldstein, a top official at CISA, reflects on progress made in cybersecurity during his tenure. Key achievements include understanding cyber risks, collaboration with industry, and encouraging secure product development. Eric

Juggling AI cybersecurity highs and lows

TLDR: At the 2024 MIT Sloan CIO Symposium, industry leaders discussed the challenge of balancing AI’s benefits with its security risks, particularly focusing on generative AI. While generative AI can bring benefits

Get your free Cyber Security eBook now Valued at $169

“`html TLDR: Key Points: Claim your complimentary eBook worth $169 for free before May 22. The eBook covers practical applications of cyber security and network security for professionals, engineers, scientists, and students.