This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Top 10 2014-I8 Insufficient Security Configurability"
Craig Smith (talk | contribs) |
Craig Smith (talk | contribs) |
||
| Line 30: | Line 30: | ||
# Ensuring the ability to force strong password policies | # Ensuring the ability to force strong password policies | ||
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=1|year=2013|language=en}} | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=1|year=2013|language=en}} | ||
| − | '''Scenario #1:''' | + | '''Scenario #1:''' No ability to enforce strong password policies. |
{{Top_10_2010:ExampleBeginTemplate|year=2013}}<span style="color:red;"> | {{Top_10_2010:ExampleBeginTemplate|year=2013}}<span style="color:red;"> | ||
| Line 36: | Line 36: | ||
</span>{{Top_10_2010:ExampleEndTemplate}} | </span>{{Top_10_2010:ExampleEndTemplate}} | ||
| − | '''Scenario #2:''' | + | '''Scenario #2:''' No ability to enable encryption of data at rest. |
{{Top_10_2010:ExampleBeginTemplate|year=2013}}<span style="color:red;"> | {{Top_10_2010:ExampleBeginTemplate|year=2013}}<span style="color:red;"> | ||
Example | Example | ||
Revision as of 00:28, 26 June 2014
| Threat Agents | Attack Vectors | Security Weakness | Technical Impacts | Business Impacts | |
|---|---|---|---|---|---|
| Application Specific | Exploitability EASY |
Prevalence COMMON |
Detectability AVERAGE |
Impact SEVERE |
Application / Business Specific |
| Consider anyone who has access to the device. | Attacker uses the lack of granular permissions to access data or controls on the device. The attacker could also us the lack of encryption options and lack of password options to perform other attacks which lead to compromise of the device. Attack could potentially come from any user of the device whether intentional or accidental. | Insufficient security configurability is present when users of the device have limited or no ability to alter its security controls. Insufficient security configurability is apparent when the web interface of the device has no options for creating granular user permissions or forcing the use of strong passwords. Manual review of the web interface and its available options will review these deficiencies. | Insufficient security configurability could lead to compromise of the device whether intentional or accidental. | Data could be stolen or modified and devices taken control of. Could your users be harmed? Could your brand be harmed? | |
|
Is My Security Configurability Sufficient?
The simplest way to determine if you have security configurability deficiencies is to manually inspect the administrative interface of the device for options to strengthen security such as forcing the creation of strong passwords, the ability to separate admin users from normal users and the ability to enable encryption for data at rest. |
How Do I Improve My Security Configurability?
Ensuring sufficient security configurability requires:
|
|
Example Attack Scenarios
Scenario #1: No ability to enforce strong password policies. Example Scenario #2: No ability to enable encryption of data at rest. Example In the cases above, the attacker is able to either easily guess the password or is able to capture the credentials as they cross the network and decode it since the credentials are only protected using Base64 Encoding.
|
References
OWASP External |
