PCI Requirement 2.1 – Always Change Vendor-Supplied Defaults

by Randy Bartels / June 30th, 2017

Why should you change vendor-supplied defaults?

Vendor-supplied accounts and passwords pose a serious threat to your organization’s security. Although defaults might make installation or even support easier, PCI Requirement 2.1 instructs service organizations to change vendor-supplied defaults because it is pretty simple for hackers to find the vendor-supplied information needed to attack and exploit your system. PCI Requirement 2.1 states, “Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.”

PCI Requirement 2.1 applies to all default passwords (like those used by operating systems, security service software, payment applications, etc.), accounts, configurations, and NTP information. To test that you have appropriately updated the vendor-supplied defaults, your organization should do a couple of things. First, according to PCI Requirement 2.1, you should attempt to log on to a sample of system components using the vendor-supplied default passwords to verify that every default password has actually been changed. Then, you should do the same process with unnecessary default accounts to ensure they’ve been removed or disabled. It’s important to note that even you do not anticipate using a default account, you need to change the default password of that unnecessary to something unique, and then disable the account. This will prevent a hacker from re-enabling the default account with the default password and leaving your system susceptible to an attack. Your organization should also interview personnel or look at supporting documentation to verify that your organization always changes vendor-supplied defaults.

The reason that PCI Requirement 2.1 exists is because vendor-supplied default information is public information. Vendor-supplied default accounts and passwords are not a secret. Hackers know this, and so should you. Try searching “Oracle default passwords” on Google. What comes up? Thousands and thousands of passwords to try. If you can easily find this information, so can a hacker. When hackers come across a platform, application, or environment that they are unfamiliar with, all they need to do is search on Google for whatever technology they’ve encountered. It’s simple for malicious individuals to find the information needed to attack your system; this is why it’s so important for your organization to always change vendor-supplied defaults.

The beginning of PCI DSS Requirement 2, specifically PCI DSS 2.1, says that you need to change all of your vendor-defaults. The reason for this is that information is generally made public. I would ask you to spend some time at your PC and Google search “Oracle default passwords.” I was teaching a class one time and I had somebody do that for me. There were 30,000-50,000 hits available. Within the first couple of hits that came up that we looked at, there was probably no less than 1,000 passwords to try.

This information is not a secret, either. Hackers know how to do this as well. When they encounter a specific platform, a specific application, a specific environment that they’re not necessarily familiar with, it’s simple enough for them to Google search “default passwords” for whatever technology they’ve encountered. So when you look to alter that default information, this should include passwords, configurations, and NTP information.