{"id":163,"date":"2018-10-19T14:58:01","date_gmt":"2018-10-19T18:58:01","guid":{"rendered":"https:\/\/pbacyber.com\/?p=163"},"modified":"2018-10-19T14:58:01","modified_gmt":"2018-10-19T18:58:01","slug":"new-state-law-mandates-cybersecurity-enhancements","status":"publish","type":"post","link":"https:\/\/pbacyber.com\/index.php\/2018\/10\/19\/new-state-law-mandates-cybersecurity-enhancements\/","title":{"rendered":"New State Law Mandates Cybersecurity Enhancements"},"content":{"rendered":"

By Peter F. Johnson, Superior Court of Pennsylvania<\/a><\/p>\n

 <\/p>\n

California Governor Jerry Brown signed legislation<\/a> mandating a longtime cybersecurity best practice\u2014changing default passwords. \u00a0The use of weak default passwords is endemic to the consumer devices world, but is just as common in the world of enterprise computer equipment, on which corporate and customer data may be stored. \u00a0The new law appears aimed towards Internet of Things (IoT) devices like home security cameras, smart thermostats, or connected doorbells, and specifically those which collect, store, or transmit information about individuals. \u00a0Nevertheless, the law\u2019s scope in this respect is ambiguous, and may be read to concern any physical device capable of connecting to the internet, including computer servers destined to store corporate and customer data.<\/p>\n

 <\/p>\n

The California law specifically applies to \u201cconnected devices,\u201d that is, \u201cany device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.\u201d Cal. Civ. Code \u00a7 1798.91.05(b). \u00a0It obligates manufacturers to use \u201creasonable security features\u201d in the design of the devices. \u00a0Under the statute\u2019s safe-harbor provision, manufacturers provide a reasonable security feature if they employ unique pre-programmed passwords for each manufactured device or require a user to generate a new means of authentication upon first use. Cal. Civ. Code \u00a7 1798.91.04(b).<\/p>\n

 <\/p>\n

Manufacturers of computer systems have long utilized default passwords, widely-known and consistent across a brand\u2019s devices. \u00a0The United States Computer Emergency Readiness Team explains<\/a>: \u201cDefault passwords are intended for initial testing, installation, and configuration operations, and many vendors recommend changing the default password before deploying the system in a production environment.\u201d \u00a0Still, there are efforts to improve security from the start. \u00a0The current generation of Dell EMC servers<\/a> available for configuration on the company\u2019s website, for example, now \u201cship with a unique, randomly-generated [management] password.\u201d \u00a0Nevertheless, a purchaser may still opt to have their server delivered with the company\u2019s \u201clegacy password.\u201d (\u201cCalvin,\u201d if you are curious).<\/p>\n

 <\/p>\n

The exploitation of unchanged default passwords in IoT devices poses a threat to the public in large part because it is a mainstay of botnet recruitment. \u00a0Discovered in 2016, the Mirai botnet<\/a> is among the most significant in scale so far. \u00a0The subsequent public release of Mirai\u2019s source code showed the primary means of proliferating to new devices was by employing a list of more than sixty common, default, username\/password combinations. \u00a0In theory, such an attack would not be possible with devices compliant with the unique pre-programmed password provision of the California law.<\/p>\n

 <\/p>\n

But the exploitation of unchanged passwords in other contexts leaves open even more concerning threats. \u00a0The United States Government Accountability Office (GAO) recently revealed<\/a> that American weapons systems are at risk of exploitation by way of default passwords.\u00a0 In its report, the GAO identified failures to change default passwords on commercial or freely-licensed software as extant vulnerabilities to those systems:<\/p>\n

 <\/p>\n

Poor password management was a common problem in the test reports we reviewed. One test report indicated that the test team was able to guess an administrator password in nine seconds.[] Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the Internet and gain administrator privileges for that software. \u00a0(Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities at 22).<\/p>\n

 <\/p>\n

California\u2019s new connected devices statute expands good cybersecurity and data privacy practices into the realm of legal compliance.\u00a0 Although this statue\u2019s scope may well be limited to manufacturers of consumer devices, the specific threat it seeks to address is far broader. \u00a0Attorneys charged with managing and mitigating an entity\u2019s risks generally would do well to consider an entity\u2019s own security against these same vulnerabilities, to consider the threats posed to personal information of individuals stored by the entity, and to consider the entity\u2019s readiness to comply with increasingly technologically sophisticated legislatures, who appear ready to codify enhancements to cybersecurity generally.<\/p>\n

 <\/p>\n

___________________________<\/p>\n

Peter F. Johnson, Esq. is the director of technology at the Superior Court of Pennsylvania<\/p>\n","protected":false},"excerpt":{"rendered":"

By Peter F. Johnson, Superior Court of Pennsylvania   California Governor Jerry Brown signed legislation mandating a longtime cybersecurity best practice\u2014changing default passwords. \u00a0The use of weak default passwords is endemic to the consumer devices world, but is just as common in the world of enterprise computer equipment, on which corporate and customer data may
Read More »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6,23],"tags":[],"_links":{"self":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/163"}],"collection":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/comments?post=163"}],"version-history":[{"count":1,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/163\/revisions"}],"predecessor-version":[{"id":164,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/163\/revisions\/164"}],"wp:attachment":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/media?parent=163"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/categories?post=163"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/tags?post=163"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}