Young hacker smiling

We hack your software

zero false positives

Attacking Applications, APIs, Mobile Apps Servers, Networks, IoT Devices
ICS: Industrial Control System
SOC: Security Operations Center

REQ.142 Change system default credentials

This document contains the details of the security requirements related to the definition and management of access credentials in the organization. This requirement establishes the importance of modifying all default credentials in the system in order to avoid brute force attacks.

Requirement

The organization must modify all default access credentials of embedded systems.

Description

Organizations usually keep default configurations of third parties products since these may adapt to most environments where they are installed and facilitate the deployment to production, but this practice may leave a default open gate for products and in most cases credentials found in provider documentation which can be found easily on internet. For this reason it’s important to check all configurations before deployment and remove all default credentials in order to avoid brute force accesses.

Implementation

  1. Remove all default credentials from product provider

  2. Implement a mechanism to ensure only users with administrator privileges can access to product access consoles

  3. Create a robust credentials policy to improve the security of all credentials in the organization.

  4. The passwords must be changed every so often to avoid theft of these.

  5. Perform audits periodically to detect misconfigurations or missing patches.

Attacks

  1. Brute force attack.

  2. Information leakage: Technical.

Attributes

  1. Layer: Business layer

  2. Asset: Access credentials

  3. Scope: Confidentiality

  4. Phase: Deployment

  5. Type of Control: Recommendation

References

  1. PCI DSS - Requirement 2.2.d

  2. OWASP - Top 10 2013: A5

  3. CAPEC-70 - Try Common Usernames and Passwords

  4. OWASP-ASVS v3.1-2.19 Verify there are no default passwords in use for the application framework or any components used by the application (such as “admin/password”).


Service status - Terms of Use