The Remote Access Misconfiguration The Network: Multi state Electricity provider The Expectation: When IT makes changes, they are done right The Catch: Remote Desktop Protocol is enabled on a critical server but access is not limited to a known/defined list of IP addresses. Attacker from the Russian Federation discovers the misconfiguration and embarks on password guessing. The Find: Checklists are good as Atul Gawande has written. The Lesson: Independent Verification & Validation is a good idea for critical tasks.