CIOs Should Be Fired For Foolish Security Breaches
Imprisoned hacker Robert Moore says it was child's play to hack into thousands of corporate systems because most IT groups don't follow basic hygiene such as resetting default passwords and keeping logs. While one security researcher says it's the vendors' fault, I lay the blame squarely on CIOs: if they don't allocate resources and enforce behavior that promotes airtight cybersecurity, they should be fired.
Imprisoned hacker Robert Moore says it was child's play to hack into thousands of corporate systems because most IT groups don't follow basic hygiene such as resetting default passwords and keeping logs. While one security researcher says it's the vendors' fault, I lay the blame squarely on CIOs: if they don't allocate resources and enforce behavior that promotes airtight cybersecurity, they should be fired.My colleague Sharon Gaudin broke this story and brought to light the passive complicity of IT in these highly preventable break-ins via a series of exclusive conversations with Robert Moore, the convicted cyberpunk. Moore revealed to Sharon an astonishing variety of anecdotes about how and why it was so easy for him to penetrate thousands of supposedly secure databases, and for your reading pleasure -- or disgust -- here are some of the highlights as reported earlier by Sharon:
"Moore said what made the hacking job so easy was that 70% of all the companies he scanned were insecure, and 45% to 50% of VoIP providers were insecure. The biggest insecurity? Default passwords."
"I'd say 85% of them were misconfigured routers. They had the default passwords on them... You would not believe the number of routers that had 'admin' or 'Cisco0' as passwords on them. We could get full access to a Cisco box with enabled access so you can do whatever you want to the box... "
"We found the default password for it. We would take that and I'd write a scanner for Mera boxes and we'd run the password against it to try to log in, and basically we could get in almost every time. Then we'd have all sorts of information, basically the whole database, right at our fingertips."
"I think it's all their (the hacked companies') fault," he added. "They're using default passwords and their administrators don't even care... There are so many people out there who are malicious hackers who look for these vulnerable boxes. All this information is right on the Web and it's easy to find... There were thousands of routers that were compromised in this, just from my scans alone."
"If they (the hacked companies) were just monitoring their boxes and keeping logs, they could easily have seen us logged in there," he said, adding that IT could have run its own scans, checking to see logged-in users. "If they had an intrusion-detection system set up, they could have easily seen that these weren't their calls."
Well, that's pretty nauseating stuff. And what's particularly disturbing about it is Moore's repeated refrain that IT is his indispensable co-dependent -- without IT doing its part in his crimes by failing to fully secure corporate systems, then I guess he'd have nothing to do but look at porn all day instead of cracking into your customer data and costing you time, money, trust, and soiled reputation.
If CIOs want to be seen as top-level executives, they need to lead the fight to change policies, processes, and behavior so that none of the pathetic opportunities described above by Moore can occur. If CIOs feel they're not up to that challenge, then they should step aside -- or be told to do so.
The Business of Going DigitalDigital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.