The Remote Access Misconfiguration

The Network: Multi state Electricity provider

The Expectation: When IT makes changes, they are done right

The Catch: Remote Desktop Protocol is enabled on a critical server but access is not limited to a known/defined list of IP addresses. Attacker from the Russian Federation discovers the misconfiguration and embarks on password guessing.

The Find: Checklists are good as Atul Gawande has written.

The Lesson: Independent Verification & Validation is a good idea for critical tasks.