CIOs Should Be Fired For Foolish Security Breaches

Posted by Bob Evans, Oct 3, 2007 04:46 PM

Imprisoned hacker Robert Moore says it was child's play to hack into thousands of corporate systems because most IT groups don't follow basic hygiene such as resetting default passwords and keeping logs. While one security researcher says it's the vendors' fault, I lay the blame squarely on CIOs: if they don't allocate resources and enforce behavior that promotes airtight cybersecurity, they should be fired.

My colleague Sharon Gaudin broke this story and brought to light the passive complicity of IT in these highly preventable break-ins via a series of exclusive conversations with Robert Moore, the convicted cyberpunk. Moore revealed to Sharon an astonishing variety of anecdotes about how and why it was so easy for him to penetrate thousands of supposedly secure databases, and for your reading pleasure -- or disgust -- here are some of the highlights as reported earlier by Sharon:

"Moore said what made the hacking job so easy was that 70% of all the companies he scanned were insecure, and 45% to 50% of VoIP providers were insecure. The biggest insecurity? Default passwords."

"I'd say 85% of them were misconfigured routers. They had the default passwords on them... You would not believe the number of routers that had 'admin' or 'Cisco0' as passwords on them. We could get full access to a Cisco box with enabled access so you can do whatever you want to the box... "

"We found the default password for it. We would take that and I'd write a scanner for Mera boxes and we'd run the password against it to try to log in, and basically we could get in almost every time. Then we'd have all sorts of information, basically the whole database, right at our fingertips."

"I think it's all their (the hacked companies') fault," he added. "They're using default passwords and their administrators don't even care... There are so many people out there who are malicious hackers who look for these vulnerable boxes. All this information is right on the Web and it's easy to find... There were thousands of routers that were compromised in this, just from my scans alone."

"If they (the hacked companies) were just monitoring their boxes and keeping logs, they could easily have seen us logged in there," he said, adding that IT could have run its own scans, checking to see logged-in users. "If they had an intrusion-detection system set up, they could have easily seen that these weren't their calls."

Well, that's pretty nauseating stuff. And what's particularly disturbing about it is Moore's repeated refrain that IT is his indispensable co-dependent -- without IT doing its part in his crimes by failing to fully secure corporate systems, then I guess he'd have nothing to do but look at porn all day instead of cracking into your customer data and costing you time, money, trust, and soiled reputation.

If CIOs want to be seen as top-level executives, they need to lead the fight to change policies, processes, and behavior so that none of the pathetic opportunities described above by Moore can occur. If CIOs feel they're not up to that challenge, then they should step aside -- or be told to do so.

« Next Generation iPhone Could Have An Intel Inside | Main | Pacific Northwest National Lab Does Cybersecurity »

This is a public forum. United Business Media and its affiliates are not responsible for and do not control what is posted herein. United Business Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.

Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of United Business Media LLC and may be edited and republished in print or electronic format as outlined in United Business Media's Terms of Service.

Important Note: This comment area is NOT intended for commercial messages or solicitations of business.

InformationWeek Chief Of The Year:
Call For Nominations

Know a dynamic, future-oriented tech chief? We're looking for the most insightful, innovative, forward-thinking business technology leader to honor as our 2008 Chief Of The Year. "Tomorrow's CIO" is the theme of our InformationWeek 500 Conference, and of a recent in-depth InformationWeek Analytics Report based on our extensive survey. The qualities identified with Tomorrow's CIO—equal parts leadership, vision, business savvy, technology expertise--are what we're looking for in our Chief Of The Year.

Candidates must be CIOs, CTOs, or VP-of-IT level executives. Nominations will be accepted now through Oct. 31, 2008.

Please send your nominations to: cjmurphy@techweb.com.

Sign Up For The CIOs Uncensored Newsletter

Every Thursday, Chris Murphy and his fellow analysts explore the business, strategy, and management issues most important to IT leaders.

Sign up for our free, weekly newsletter today!

Newsletter Archives

Global CIO Video

Blog Categories
Healthcare Cloud Computing Enterprise 2.0 Digital Life Grok On Google Over The Air Outsourcing Global CIO Startup City Information Management Content Management Green Computing Full Nelson Unified Communications	Government IT Analytics Tech Stocks Interop Security Microsoft Apple Unvarnished Open Source Wolfe's Den David Berlind's Tech Radar Virtualization Storage Backup and Business Continuity Blog Homepage

Multicore Programming Blog

Join The InformationWeek Group On LinkedIn

InformationWeek

Business Innovation Powered By Technology

CIOs Should Be Fired For Foolish Security Breaches