Why should you change vendor-supplied defaults?
Vendor-supplied accounts and passwords pose a serious threat to your organization’s security. Although defaults might make installation or even support easier, PCI Requirement 2.1 instructs service organizations to always change vendor-supplied defaults because it is pretty simple for hackers to find the vendor-supplied information needed to attack and exploit your system. PCI Requirement 2.1 states, “Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.”
The reason that PCI Requirement 2.1 exists is because vendor-supplied default information is public information. Vendor-supplied default accounts and passwords are not a secret. Hackers know this, and so should you. Try searching “Oracle default passwords” on Google. What comes up? Thousands and thousands of passwords to try. If you can easily find this information, so can a hacker. When hackers come across a platform, application, or environment that they are unfamiliar with, all they need to do is search on Google for whatever technology they’ve encountered. It’s simple for malicious individuals to find the information needed to attack your system; this is why it’s so important for your organization to always change vendor-supplied defaults.
PCI Requirement 2.1
The beginning of PCI DSS Requirement 2, specifically PCI DSS 2.1, says that you need to change all of your vendor-defaults. The reason for this is that information is generally made public. I would ask you to spend some time at your PC and Google search “Oracle default passwords.” I was teaching a class one time and I had somebody do that for me. There were 30,000-50,000 hits available. Within the first couple of hits that came up that we looked at, there was probably no less than 1,000 passwords to try.
This information is not a secret, either. Hackers know how to do this as well. When they encounter a specific platform, a specific application, a specific environment that they’re not necessarily familiar with, it’s simple enough for them to Google search “default passwords” for whatever technology they’ve encountered. So when you look to alter that default information, this should include passwords, configurations, and NTP information.