Commentary

Bob Evans
Senior VP, Global CIO  

CIOs Should Be Fired For Foolish Security Breaches

Imprisoned hacker Robert Moore says it was child's play to hack into thousands of corporate systems because most IT groups don't follow basic hygiene such as resetting default passwords and keeping logs. While one security researcher says it's the vendors' fault, I lay the blame squarely on CIOs: if they don't allocate resources and enforce behavior that promotes airtight cybersecurity, they should be fired.

Imprisoned hacker Robert Moore says it was child's play to hack into thousands of corporate systems because most IT groups don't follow basic hygiene such as resetting default passwords and keeping logs. While one security researcher says it's the vendors' fault, I lay the blame squarely on CIOs: if they don't allocate resources and enforce behavior that promotes airtight cybersecurity, they should be fired.My colleague Sharon Gaudin broke this story and brought to light the passive complicity of IT in these highly preventable break-ins via a series of exclusive conversations with Robert Moore, the convicted cyberpunk. Moore revealed to Sharon an astonishing variety of anecdotes about how and why it was so easy for him to penetrate thousands of supposedly secure databases, and for your reading pleasure -- or disgust -- here are some of the highlights as reported earlier by Sharon:

  • "Moore said what made the hacking job so easy was that 70% of all the companies he scanned were insecure, and 45% to 50% of VoIP providers were insecure. The biggest insecurity? Default passwords."

    More Global CIO Insights

    White Papers

    More >>

    Reports

    More >>

    Webcasts

    More >>

  • "I'd say 85% of them were misconfigured routers. They had the default passwords on them... You would not believe the number of routers that had 'admin' or 'Cisco0' as passwords on them. We could get full access to a Cisco box with enabled access so you can do whatever you want to the box... "

  • "We found the default password for it. We would take that and I'd write a scanner for Mera boxes and we'd run the password against it to try to log in, and basically we could get in almost every time. Then we'd have all sorts of information, basically the whole database, right at our fingertips."

  • "I think it's all their (the hacked companies') fault," he added. "They're using default passwords and their administrators don't even care... There are so many people out there who are malicious hackers who look for these vulnerable boxes. All this information is right on the Web and it's easy to find... There were thousands of routers that were compromised in this, just from my scans alone."

  • "If they (the hacked companies) were just monitoring their boxes and keeping logs, they could easily have seen us logged in there," he said, adding that IT could have run its own scans, checking to see logged-in users. "If they had an intrusion-detection system set up, they could have easily seen that these weren't their calls."
  • Well, that's pretty nauseating stuff. And what's particularly disturbing about it is Moore's repeated refrain that IT is his indispensable co-dependent -- without IT doing its part in his crimes by failing to fully secure corporate systems, then I guess he'd have nothing to do but look at porn all day instead of cracking into your customer data and costing you time, money, trust, and soiled reputation.

    If CIOs want to be seen as top-level executives, they need to lead the fight to change policies, processes, and behavior so that none of the pathetic opportunities described above by Moore can occur. If CIOs feel they're not up to that challenge, then they should step aside -- or be told to do so.


    Related Reading




    Currently we allow the following HTML tags in comments:

    Single tags

    These tags can be used alone and don't need an ending tag.

    <br> Defines a single line break

    <hr> Defines a horizontal line

    Matching tags

    These require an ending tag - e.g. <i>italic text</i>

    <a> Defines an anchor

    <b> Defines bold text

    <big> Defines big text

    <blockquote> Defines a long quotation

    <caption> Defines a table caption

    <cite> Defines a citation

    <code> Defines computer code text

    <em> Defines emphasized text

    <fieldset> Defines a border around elements in a form

    <h1> This is heading 1

    <h2> This is heading 2

    <h3> This is heading 3

    <h4> This is heading 4

    <h5> This is heading 5

    <h6> This is heading 6

    <i> Defines italic text

    <p> Defines a paragraph

    <pre> Defines preformatted text

    <q> Defines a short quotation

    <samp> Defines sample computer code text

    <small> Defines small text

    <span> Defines a section in a document

    <s> Defines strikethrough text

    <strike> Defines strikethrough text

    <strong> Defines strong text

    <sub> Defines subscripted text

    <sup> Defines superscripted text

    <u> Defines underlined text

    InformationWeek encourages readers to engage in spirited, healthy debate, including taking us to task. However, InformationWeek moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. InformationWeek further reserves the right to disable the profile of any commenter participating in said activities.

    Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
    T-Shirt Giveaway T-Shirt Giveaway: Each week we're selecting one great comment from our readers. The author of the comment will receive an InformaitonWeek Community t-shirt. So get posting!
    Subscribe to RSS

    Resource Links