Part of Data Security Standard 9 - IT protection
Network components (9.1.1 - 9.1.2)
Definition and scope
Networking components are physical devices which are required for communication and interaction between devices on a computer network they include, but are not limited to:
- firewalls
- switches and hubs
- bridges
- routers
- wireless access devices
Out of the box network devices may ship with the same username and password for that specific type of device or even be the same for all that provider’s devices. Consequently, the login details are available on the internet and this makes the devices very vulnerable to misuse.
Data security incidents, such as the May 2017 global ransomware attack which affected NHS services, as well as other public services and private companies in many other countries, have highlighted the potential for cyberattacks to disrupt services by having a direct impact on the availability of care for patients and service users.
All network components need to have their default passwords changed.
Some network components (particularly those provided by internet service providers for home or small business use) can have a unique username and password 'out of the box'. So, it can be acceptable to not change those Internet Service Provider (ISP) provided devices, subject to confirmation and the device itself not having a label attached in a public setting with the login details.
Similarly, to scanning software in Data Security Standard 8, it's important to know the boundaries of your estate and not go beyond them and attempt to change a password on a device not managed by your organisation.
As well as networking components other devices should also have their default passwords changed (where applicable). Devices encompass servers, desktop computers, laptop computers, tablets and mobile phones.
Last edited: 27 September 2022 2:53 pm