This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Top 10 2014-I8 Insufficient Security Configurability"
From OWASP
Craig Smith (talk | contribs) |
Craig Smith (talk | contribs) |
||
| Line 2: | Line 2: | ||
{{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2013|language=en}} | {{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2013|language=en}} | ||
| − | {{Top_10:SummaryTableTemplate|exploitability=2|prevalence=2|detectability= | + | {{Top_10:SummaryTableTemplate|exploitability=2|prevalence=2|detectability=1|impact=1|year=2013|language=en}} |
{{Top_10_2010:SummaryTableHeaderEndTemplate|year=2013}} | {{Top_10_2010:SummaryTableHeaderEndTemplate|year=2013}} | ||
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider anyone who has access to the device. | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider anyone who has access to the device. | ||
| Line 10: | Line 10: | ||
</td> | </td> | ||
| − | <td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Insufficient security configurability is present when users of the device have limited or no ability to alter its security controls. Insufficient security configurability is apparent when the web interface of the device has no options for creating granular user permissions or forcing the use of strong passwords. Manual review of the web interface and its available options will | + | <td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Insufficient security configurability is present when users of the device have limited or no ability to alter its security controls. Insufficient security configurability is apparent when the web interface of the device has no options for creating granular user permissions or for example, forcing the use of strong passwords. Manual review of the web interface and its available options will reveal these deficiencies. |
</td> | </td> | ||
| Line 16: | Line 16: | ||
</td> | </td> | ||
| − | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}> | + | <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider the business impact if data can be stolen or modified and control over the device assumed. Could your customers be harmed? |
</td> | </td> | ||
Revision as of 22:40, 29 June 2014
| Threat Agents | Attack Vectors | Security Weakness | Technical Impacts | Business Impacts | |
|---|---|---|---|---|---|
| Application Specific | Exploitability AVERAGE |
Prevalence COMMON |
Detectability EASY |
Impact SEVERE |
Application / Business Specific |
| Consider anyone who has access to the device. | Attacker uses the lack of granular permissions to access data or controls on the device. The attacker could also us the lack of encryption options and lack of password options to perform other attacks which lead to compromise of the device and/or data. Attack could potentially come from any user of the device whether intentional or accidental. | Insufficient security configurability is present when users of the device have limited or no ability to alter its security controls. Insufficient security configurability is apparent when the web interface of the device has no options for creating granular user permissions or for example, forcing the use of strong passwords. Manual review of the web interface and its available options will reveal these deficiencies. | Insufficient security configurability could lead to compromise of the device whether intentional or accidental. | Consider the business impact if data can be stolen or modified and control over the device assumed. Could your customers be harmed? | |
|
Is My Security Configurability Sufficient?
The simplest way to determine if you have security configurability deficiencies is to manually inspect the administrative interface of the device for options to strengthen security such as forcing the creation of strong passwords, the ability to separate admin users from normal users and the ability to enable encryption for data at rest. |
How Do I Improve My Security Configurability?
Ensuring sufficient security configurability requires:
|
|
Example Attack Scenarios
Scenario #1: No ability to enforce strong password policies. Example Scenario #2: No ability to enable encryption of data at rest. Example In the cases above, the attacker is able to either easily guess the password or is able to capture the credentials as they cross the network and decode it since the credentials are only protected using Base64 Encoding.
|
References
OWASP External |
