As much as we talk about the need for constant vigilance, frequent security patches, multifactor authentication and so much else – there tends to be a presumption when it comes to cybersecurity:

Surely the big established players know what they’re doing when they design their platforms. And surely Cisco fits into that category.

We presume that until we find out it’s not necessarily true at all. As established and reputable as Cisco is, it’s still run by human beings who sometimes mess up. And we found out this week that some of the humans at Cisco messed up pretty badly – leaving users of the company’s Unified Communications Manager (standard edition and session management edition) vulnerable to one of the worst kinds of cyberattacks.

To its credit, Cisco came out and announced the problem. In essence, when Cisco developed this platform, it implemented static user credentials for the “root” account – which is usually used for development purposes. These static user credentials can’t be deleted and can’t be changed, which means that any hacker who can obtain the credentials can log in as the root user and gain complete control of the system.

Once in, the attacker could move laterally through the system and execute any and all arbitrary commands. Not only could individual devices be compromised, but systemwide authentication controls could be easily manipulated.

This is like putting a coded lock on the front door of the White House, making the combination “ABC123,” and then making it impossible to change it.

Cisco has issued a list of actions that users of Unified Communications Manager should take. They include immediate application of security patches, the use of automated patching systems, changing of default credentials, disabling unnecessary features and the utilization of credential management systems.

This is all well and good. And to date, no actual attackers have taken advantage of the vulnerability. Cisco did a good job of getting out ahead of the issue. It’s just that whoever designed the platform did a poor job of preventing the issue from existing in the first place.

I am not here to judge anyone else’s job performance. This is a stunning mistake from a company with the knowledge and resources of Cisco, but who knows how it happened? Maybe someone put in the standard credentials as a placeholder early in the process, meaning to go back and change it, and then just forgot to do so. That doesn’t excuse the mistake. It just serves as a reminder that people are people.

And also as a reminder of this: You cannot take your system’s cybersecurity for granted. No matter who developed the platform or how smoothly it appears to operate, there is always a chance someone missed something before it ended up on your devices.

That’s why all of the steps mentioned above require your constant vigilance, and why your IT team must be credentialed and serious about battling cybersecurity vulnerabilities.

If you don’t have people like that on your team, give me a call at 616.795.2874, or email dacarey@cybersynergies.io. I can show you what you need to do – and help you do it.

But don’t forget: No system is inherently invulnerable, no matter where it came from. That includes the ones that are operating on your devices right now.

Dave Carey is president of CyberSynergies, a Grand Rapids-based cybersecurity consulting company.