Our engineers have noticed a trend over the past year of poor IT management passwords, and it has caused some concern, so we thought we would write a blog post about it to try and bring awareness to this issue. Many organizations, especially small and mid-size businesses who don’t have the resources internally, will outsource their IT support. A third-party vendor will set-up and manage their network for them. This makes sense for a lot of organizations, but it also means you are trusting them to keep you from being hacked.
Poor IT Management Passwords: The Risk
Alarmingly, in two recent internal penetration tests, the engineers discovered that the domain administrator password was a derivative of the IT Company’s name. So for example, if there is an IT management company called ITWizards, the password would be ITWizards123 or ITWiz@rds! This is not a secure password! Worse, this is a domain administrator account we are talking about. That means that if an attacker is able to gain control of it, they have complete control over your network. They can access the HR folder with the salary information, the finance folder with sensitive acquisition information, and that client drive with all your customer PII.
Another issue with this, is that it indicates that the IT management company is likely using the same password for all their clients. This exponentially increases the risk to your organization. Simply put, if any one of the IT management companies’ clients faces a data breach, the hacker now has that password, and can use that against your organization. In information security, you are only as strong as your weakest link, and this just adds a lot more links to your chain.
Finally, this demonstrates a lackadaisical attitude towards security. If they are choosing such a weak password for the most important account on your network, what are they doing with the other things. Do you really think they are performing due diligence and taking the time to lock down your servers, firewalls, and computers?
How to Avoid Bad Passwords
The best way to prevent something like this is to prevent it before it happens. In your interview with a prospective IT management company, ask them about how they assign passwords that they will use in your organization. Listen carefully for three key things. First, that it is unique to your organization, and not repeated across every organization. Second, make sure that at a minimum their passwords meet best practice. The Center for Internet Security recommends a minimum length of 14 characters, but honestly, for something as important as a domain administrator account it should be over 20. Third, listen for them to mention some common security controls, including a password manager and multi-factor authentication. The fact is, the IT administrator who is on your account is probably working on 5 others. A password manager means that that administrator doesn’t have to remember the password, it is stored in a secure database. Without this, they are likely going to repeat passwords, use a pattern (Client1, Client2, Client3), or write them down on a sticky note.
If you already have an IT management company in place, the best way to make sure they are doing things the right way is with regular security assessments. Ensure this is an independent third-party who does the assessment, even if your IT management company offers the service. Also, don’t be afraid to ask them the tough questions. You are paying them to do things properly and securely, so you have the right to check-in to make sure it is happening.
After noticing this trend, we decided it was best to get it out there and hopefully catch some bad habits before an attacker does. You can take a proactive approach in making sure your IT management company is doing things right by asking the tough questions and getting annual security evaluations. As always, we are here to help and if you have a question or comment, please let us know.