Reading about how hackers are using SQL Server instances that are exposed on the internet AND have weak passwords to work into systems, I’m sitting here wondering why.
I get it. A pretty hefty majority of these were simply set up by people who didn’t know any better. Computers and databases are now so wonderfully easy, almost anyone can slap together a database server, and do. Simple ignorance leads them to misconfigure the systems and leave them exposed. So, while it’s hard to forgive this ignorance, it’s easy to understand.
I sincerely doubt we’ll ever be able to do much about it. I suppose if systems were designed to be secure from the moment of installation, that would help. Stuff like ElasticSearch having it’s development servers have zero security out of the box in order to ease development doesn’t help. Just the simple change that Microsoft made back in the day, actually requiring a password, any password, on install improved security. More can be done.
What About the Rest of You?
So, yes, ignorance plays a factor. Better security from the vendors would be a huge help (and by the way, here’s where the cloud can be awesome because, depending on the system, they are more secure out of the box). However, you know better and yet you have systems that are unsecure.
You know you do. You have a single login for all administration across the entire organization. You have simple passwords. You have SQL Injection vulnerabilities. You have unpatched servers or even servers that are long out of support. You have all these problems, and more, that you know about and yet you’re not fixing them.
I want to know why.
Please note, I’m not saying it’s your fault. I’m assuming outside issues. I’m simply curious what they are.
How and why is the organization preventing you from doing what you know is right?
Further, is there a way to turn this around?
I don’t have an answer for your today. Only questions. Please, respond in the comments. I’d love to hear what you have to say on this.