This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Top 10 2014-I8 Insufficient Security Configurability"
Craig Smith (talk | contribs) |
Craig Smith (talk | contribs) |
||
Line 2: | Line 2: | ||
{{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2013|language=en}} | {{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2013|language=en}} | ||
− | {{Top_10:SummaryTableTemplate|exploitability= | + | {{Top_10:SummaryTableTemplate|exploitability=2|prevalence=2|detectability=2|impact=1|year=2013|language=en}} |
{{Top_10_2010:SummaryTableHeaderEndTemplate|year=2013}} | {{Top_10_2010:SummaryTableHeaderEndTemplate|year=2013}} | ||
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider anyone who has access to the device. | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider anyone who has access to the device. | ||
</td> | </td> | ||
− | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Attacker uses the lack of granular permissions to access data or controls on the device. The attacker could also us the lack of encryption options and lack of password options to perform other attacks which lead to compromise of the device. Attack could potentially come from any user of the device whether intentional or accidental. | + | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Attacker uses the lack of granular permissions to access data or controls on the device. The attacker could also us the lack of encryption options and lack of password options to perform other attacks which lead to compromise of the device and/or data. Attack could potentially come from any user of the device whether intentional or accidental. |
</td> | </td> |
Revision as of 22:36, 29 June 2014
Threat Agents | Attack Vectors | Security Weakness | Technical Impacts | Business Impacts | |
---|---|---|---|---|---|
Application Specific | Exploitability AVERAGE |
Prevalence COMMON |
Detectability AVERAGE |
Impact SEVERE |
Application / Business Specific |
Consider anyone who has access to the device. | Attacker uses the lack of granular permissions to access data or controls on the device. The attacker could also us the lack of encryption options and lack of password options to perform other attacks which lead to compromise of the device and/or data. Attack could potentially come from any user of the device whether intentional or accidental. | Insufficient security configurability is present when users of the device have limited or no ability to alter its security controls. Insufficient security configurability is apparent when the web interface of the device has no options for creating granular user permissions or forcing the use of strong passwords. Manual review of the web interface and its available options will review these deficiencies. | Insufficient security configurability could lead to compromise of the device whether intentional or accidental. | Data could be stolen or modified and devices taken control of. Could your users be harmed? Could your brand be harmed? |
Is My Security Configurability Sufficient?
The simplest way to determine if you have security configurability deficiencies is to manually inspect the administrative interface of the device for options to strengthen security such as forcing the creation of strong passwords, the ability to separate admin users from normal users and the ability to enable encryption for data at rest. |
How Do I Improve My Security Configurability?
Ensuring sufficient security configurability requires:
|
Example Attack Scenarios
Scenario #1: No ability to enforce strong password policies. Example Scenario #2: No ability to enable encryption of data at rest. Example In the cases above, the attacker is able to either easily guess the password or is able to capture the credentials as they cross the network and decode it since the credentials are only protected using Base64 Encoding.
|
References
OWASP External |