Remove vendor-supplied defaults
Description
Vendor-supplied defaults for system passwords and security parameters must be changed.
⚠️ Risk Impact
Default credentials are publicly known and automated scanners target them.
🔧 Remediation
Change all default passwords and remove default accounts. EchelonGraph detects default service accounts.
💀 Real-World Attack Scenario
A POS terminal vendor installed systems with the default admin password 'admin123'. The password was listed in the vendor's publicly available installation guide. An attacker used this default password to access 47 POS terminals across 12 store locations, installing card-skimming malware on each.
💰 Cost of Non-Compliance
Heartland Payment: $140M cost from default credential exploitation. PCI DSS Req 2.1 violation is one of the most common QSA findings. Non-compliance fines: $5K-$100K/month.
📋 Audit Questions
- 1.Show your process for changing vendor defaults during deployment.
- 2.Are default accounts disabled or removed?
- 3.How do you verify that no default credentials remain?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Changing the primary admin password but leaving backup/recovery passwords at default
- ⛔Not checking for default API keys and tokens in vendor software
- ⛔Default SNMP community strings left unchanged on network devices
📈 Business Value
Eliminating default credentials removes the easiest attack vector. It's one of the first things attackers and scanners check and demonstrates basic security hygiene to QSAs.
⏱️ Effort Estimate
2-4 hours per system to audit and change defaults
EchelonGraph detects default service accounts and known default configurations
🔗 Cross-Framework References
Automate PCI DSS 2.1 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →