Hi all
As above… Just took on a new client. Nothing exciting 4 PC’s, Yealink Desk Phones… and A printer.
Upon investigation and reviewing the systems I noticed port 443 was open to the routers login page and I bitched at the old IT co asking them why it is open. For no other reason than ‘We may need to change some settings’. So it was not open for VPN purposes etc.
Bearing in mind the admin password was a variant of ‘Password’. So not a strong one.
No Geo-IP or 2FA etc.
Router is a Draytek.
I shouted and had a go at the other IT co about this as I thought this was just pure lazy - but they claim they do it a lot and this is how they have all of there clients configured.
Did I just make myself look stupid by having a go at them about how insecure this is/was? or am I being over the top? Whats the worst that can happen, the previous IT co said they would replace the router if it got hacked.
I was not happy with this configuration at all.
Did I just make myself look stupid?
Web interfaces of routers should not be publicly exposed. At least filter them to IP’s owned by the people administrating them.
1 Like
Myself, as tempting as it is, I wouldn’t bother trying to ‘educate’ the other IT company, a win there won’t get you much, BUT, I would use that case in your own company promotion: “We take your network security seriously and make sure we protect your network by keeping you secured behind a secure firewall - don’t wait to find out how you were hacked - lock your network down!”. What Tom said!
1 Like
Doubt the customer even cares until something goes wrong. The third party certainly does not, some guy is just following their internal process.
You’ve just wasted your time, that’s about it.
This is the difference between processes and standards.
1 Like
The guy following the internal process at the previous IT provider… was the owner.
So he should care.
Maybe one day his ass will get sued.
Any method of helping to secure an environment is NOT stupid, and neither are you for pointing out that fact. Ports 80 and 443 are probably the most widely scanned globally for possible attack and always advisable to restrict as others have said to a whitelisted few sources…
Not trying to start an argument here, I hope you take this the way I intend it, but I just thought I would drop my $0.02 worth…
I have to be honest, “I shouted and had a go at” was probably wrong and probably made you look more stupid than anything else.
No, the router probably should not have ports open on the WAN. If for some reason they must be then they should be locked down. So no, you were not wrong on a technical front but (IMHP) you were wrong in the way you dealt with it.
“The previous firm must have been shit because they did or did not do x, y and z” is also a bit unbecoming and I personally try and avoid it. “They did it this way but in my professional opinion it is more secure to do this other thing” makes you sound more professional.
The client won’t care, they already decided to take you on so you don’t need to tell them the previous firm were not up to scratch
The previous firm won’t care, if they knew what they were doing and gave a shit then it would not have been as it was so clearly they either think they are doing it right or don’t care. Additionally being told you are doing a shit job by the person that just replaced you is never going to go down well.
1 Like