Default Passwords = Bad; Continuous Testing = Good


Well, the verdict is in. The drone documents found on the dark web were drone maintenance documents. These documents were found behind a Netgear router whose FTP (file transfer protocol) password had not been changed.

This is a simple mistake. You might even say that this was a “rookie” mistake. Nevertheless, I am stunned that this kind of mistake would be made on a program that had already been granted its authority to operate (ATO). But the fact that this has happened proves that continuous vulnerability testing and compliance monitoring are keys to ensuring the ongoing (and safe) operations of a program.

And if this is true for the U.S. Department of Defense, then it is also true for each of us. So here is my simple question: have you changed default passwords on every system that you access?

Learn From Drone Documents Found on the Dark Web

Today, the Wall Street Journal reported that secret data about combat drones had been stolen and had been made available on the “dark web”. This revelation should not be surprising. In a world where every document and every conversation can be digitized, there is ample opportunity for data to fall into unexpected hands.

Is this a problem with the “dark web” itself? No, not really. Yes, the dark web is inhabited by denizens. But it is also inhabited by those seeking relief from oppressive political regimes. The real problem here is that either secure systems have been breached or someone within the “military-industrial complex” has released sensitive data to an unauthorized recipient.

I am sure that an inspector general is already investigating. In the meantime, there are lessons to be learned – and applied – for your personal assets:

  1. Know your data. While you should protect everything, you should be able to say what data is truly valuable.
  2. Protect your valuable data. Have  layers of security. This should include strong (and unique) passwords, multi-factor authentication, encrypted “data at rest”, and also encrypted communications for valuable data.
  3. Review your protection plans on a regular basis. Perform threat simulations wherever possible. This is not something that should be done just by governments and corporations. You should do this for your own data – lest you be awoken to the sad truth that you have been hacked.
  4. Review all access attempts to determine if you have been breached. This means that you should check access logs (if possible) to see if they match what you actually did. For example, check last login times on tools like Facebook and Twitter. But this also means using tools like “Have I Been Pwned” so that you know whether your credentials have been compromised. You might even want to use tools from credit sources (like Experian).
  5. Always have a remediation plan if your data is compromised. This should include contacting service providers (especially banks), changing passwords, etc.

You may not have military-grade secrets to protect. But with a little investment of time, you can be craftier than the slower antelopes.