Today's assignment is both easy and hard - Look through your password database, talk to your staff, and identify all the vendors and devices that are using default passwords and change them to discrete, robust passwords.
Default passwords are well-known by attackers. They count on the fact that many people allow devices to be installed with default passwords. It allows attackers places to hide and places they can easily visit to better position themselves as they hopscotch across your network to their ultimate targets.
Just think how much damage and/or chaos I can do if I could sit on a student network and identify and access an APC UPS with default passwords powering your switches, servers, storage,2 and virtual infrastructure. There are a whole lot of APCs out there with default passwords. There are a whole lot of other devices out there with default passwords.
I have seen it happen where someone is randomly rebooting UPSes causing servers and more to crash or become unstable.
Add this to your list of continual improvement projects and make setting robust passwords/security part of any device installation checklist for both your staff and outside vendors.
If you have questions or need help, give us a call.
-Scott Quimby, CISSP