CIOs Uncensored: CIOs Should Be Fired For Foolish Security Breaches

Imprisoned hacker Robert Moore says it was child's play to dig into thousands of corporate systems because most IT groups don't follow basic hygiene such as resetting default passwords and keeping logs. While one consultant says it's the vendors' fault, I lay the blame squarely on CIOs: if they don't allocate resources and create and enforce behavior that promotes airtight cybersecurity, they should be fired. For too long, excuses have been made about conflicting priorities, limited staff, complex processes, a hodgepodge of systems, the relentlessness of hacker punks, incompliant users, and so on. And also for too long, lots of business-technology executives have complained about not being taken seriously by other execs within their company, about the IT organization not getting the respect it deserves, about being told what to do instead of being asked to help formulate strategy, and about being regarded as costly overhead that should perhaps be outsourced. But the two sets don't match up -- we can't lean on our list of convenient excuses if we want to be taken seriously. At some point, it's about accountability and responsibility. Let's take a quick review of what the prison-bound hackerpunk had to say about how easy IT made it for him to do his dirty work, and then we'll scrutinize those tired rationales for why IT can't fix the problem. My colleague Sharon Gaudin broke this story and brought to light the passive complicity of IT in these highly preventable break-ins via a series of exclusive conversations with Robert Moore, the convicted cyberpunk. Moore revealed to Sharon an astonishing variety of anecdotes about how and why it was so easy for him to penetrate thousands of supposedly secure databases, and for your reading pleasure -- or disgust -- here are some of the highlights as reported earlier by Sharon:

• "Moore said what made the hacking job so easy was that 70% of all the companies he scanned were insecure, and 45% to 50% of VoIP providers were insecure. The biggest in security? Default passwords."


• "I'd say 85% of them were misconfigured routers. They had the default passwords on them. . . .You would not believe the number of routers that had 'admin' or 'Cisco0' as passwords on them. We could get full access to a Cisco box with enabled access so you can do whatever you want to the box..."


• "We found the default password for it. We would take that and I'd write a scanner for Mera boxes and we'd run the password against it to try to log in, and basically we could get in almost every time. Then we'd have all sorts of information, basically the whole database, right at our fingertips."


• "AT&T reported to the court that Moore ran 6 million scans on its network alone."


• "It's so easy. It's so easy a caveman can do it," Moore told InformationWeek, laughing."


• "I think it's all their [the hacked companies'] fault," he added. "They're using default passwords and their administrators don't even care. . . .There are so many people out there who are malicious hackers who look for these vulnerable boxes. All this information is right on the Web and it's easy to find. . . .There were thousands of routers that were compromised in this, just from my scans alone."


• "If they [the hacked companies] were just monitoring their boxes and keeping logs, they could easily have seen us logged in there," he said, adding that IT could have run its own scans, checking to see logged-in users. "If they had an intrusion-detection system set up, they could have easily seen that these weren't their calls."

And finally, from a followup piece Sharon did called "Would You Hire This Hacker?" comes this slice-of-life philosophy from our intrusive convict:

"The cool thing about cybercrime is when you get this much publicity it's pretty much like a resume when you get out," said Moore, who hasn't gone to college and doesn't hold a degree. "When they say, 'Where's your degree?,' you just show them your prison record."

Well, that's pretty nauseating stuff. And what's particularly disturbing about it is Moore's repeated refrain that IT is his indispensable co-dependent: without IT doing its part in his crimes by failing to fully secure corporate systems, then I guess he'd have nothing to do but look at porn all day instead of cracking into your customer data and costing you time, money, trust, and soiled reputation. No doubt a lot of you are saying, "Now hold on, you don't understand, it's not really our fault!" OK, let's review the list of usual excuses: Conflicting priorities :
Who sets the priorities -- isn't it the CIO? Who funds those priorities -- isn't it the CIO? Who allocates people -- isn't it the CIO? So who's making the excuses -- isn't it the CIO? Limited staff:
See "conflicting priorities" above. Seems pretty simple: either cybersecurity is a priority, or it's not. If it is, put more people on it; if it's not, well, be prepared to deal with the consequences. Complex processes:
No doubt this is true, and no doubt they'll get more complex as more and more parts of your business become totally enmeshed in your systems and networks and software. And as your customers move increasingly deeper into your processes, the complexity will multiply. Again, it comes down to this question: Who's in charge here? Hodgepodge of systems: