R142. Change system default credentials

Requirement

The organization must modify all default access credentials of embedded systems.

Description

Organizations usually keep default configurations of third-party products since these may adapt to most environments where they are installed and facilitate the deployment to production. However, this practice may leave a default open gate for products and, in most cases, credentials found in provider documentation, which can be found easily on the Internet. For this reason it is important to check all configurations before deployment and remove all default credentials.

Implementation

  1. Remove all default credentials.

  2. Implement a mechanism to ensure only users with administrator privileges can access product consoles.

  3. Create a robust credential policy to improve the security of all credentials in the organization.

  4. The passwords must be changed every so often in case they are compromised.

  5. Perform audits periodically to detect improper configurations or missing patches.

Attacks

  1. Brute force attack.

  2. Information leakage: Technical.

Attributes

  1. Layer: Business layer

  2. Asset: Access credentials

  3. Scope: Confidentiality

  4. Phase: Deployment

  5. Type of Control: Recommendation

References

  1. CAPEC-70: Try Common Usernames and Passwords. An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions.

  2. NERC CIP-007-6. B. Requirements and measures. R5.4 Change known default passwords, per Cyber Asset capability.

  3. OWASP Top 10 A2:2017-Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.

  4. OWASP-ASVS v4.0.1 V2.5 Credential Recovery Requirements.(2.5.4) Verify shared or default accounts are not present (e.g. "root", "admin", or "sa").

  5. OWASP-ASVS v4.0.1 V2.10 Service Authentication Requirements.(2.10.2) Verify that if passwords are required, the credentials are not a default account.

  6. OWASP-ASVS v4.0.1 V14.2 Dependency.(14.2.2) Verify that all unneeded features, documentation, samples, configurations are removed, such as sample applications, platform documentation, and default or example users.

  7. PCI DSS v3.2.1 - Requirement 2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings.

  8. PCI DSS v3.2.1 - Requirement 6.5.10 Address common coding vulnerabilities in software-development processes such as broken authentication and session management.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy