This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Talk:Consumer Best Practices"
(jims notes) |
|||
| Line 1: | Line 1: | ||
| + | (Todd: Most of these are mitigation actions and would need to be re-phrased as vulnerabilities) | ||
| + | |||
Consider where the following fits: | Consider where the following fits: | ||
| − | - Don't run | + | - Don't run unnecessary services (Jim: how can we make this consumer-accessable? Dont use unnecessary software or services?; Todd: Yes, it would basically come down to, if you don't need a service or piece of software, don't run/install it. Think about not installing the yahoo toolbar, or running the web interface on your wifi, if you won't use them.) |
Configuration | Configuration | ||
| Line 7: | Line 9: | ||
- Password protect all devices (Jim: I like, suggested stronger beyond default - like iOS defaults are weak) | - Password protect all devices (Jim: I like, suggested stronger beyond default - like iOS defaults are weak) | ||
| − | - Don't remember wifi networks (Jim: Might not be top ten worthy, but I agree. For myself I say "use whatever, but with a VPN") | + | - Don't remember wifi networks (Jim: Might not be top ten worthy, but I agree. For myself I say "use whatever, but with a VPN"; Todd: This probably falls under Don't trust untrusted sources or lack of secure configurations.) |
| − | - Use an inactivity timeout to lock devices (Jim: I like, we might want a generic device top ten item that covers this and others) | + | - Use an inactivity timeout to lock devices (Jim: I like, we might want a generic device top ten item that covers this and others; Todd: Could be. I'm thinking what the vulnerability would be, and I would assume this is a remediation (like the item below) dealing with physical security.) |
- Do not leave mobile devices unattended in public places (Jim: Yes!) | - Do not leave mobile devices unattended in public places (Jim: Yes!) | ||
| − | - Encrypt mobile devices (Jim: Yes! But they are doing that by default these days) | + | - Encrypt mobile devices (Jim: Yes! But they are doing that by default these days; Todd: ture, but I'm not sure, for instance, that my MacBook is, or that my SSD USB drive is...) |
| − | - Learn to recognize threats (Jim: Filed under dont click on stuff?) | + | - Learn to recognize threats (Jim: Filed under dont click on stuff?; Yes! amoungst others. Of course, just the fact they are reading and learning our Top Ten might be the remediation for this.) |
- Do not mindlessly reply to popup windows (Jim: Agreed, see threat recognition?) | - Do not mindlessly reply to popup windows (Jim: Agreed, see threat recognition?) | ||
| − | - Review credit reports and online accounts (Jim: Credit monitoring?) | + | - Review credit reports and online accounts (Jim: Credit monitoring? Todd: Absolutely!) |
| − | - Use personal firewall (Jim: OS level enough?) | + | - Use personal firewall (Jim: OS level enough? Todd: I think so.) |
| + | |||
| + | - A point to consider: How, if at all, does this play into the IoT? | ||
Revision as of 03:53, 14 June 2016
(Todd: Most of these are mitigation actions and would need to be re-phrased as vulnerabilities)
Consider where the following fits:
- Don't run unnecessary services (Jim: how can we make this consumer-accessable? Dont use unnecessary software or services?; Todd: Yes, it would basically come down to, if you don't need a service or piece of software, don't run/install it. Think about not installing the yahoo toolbar, or running the web interface on your wifi, if you won't use them.)
Configuration
- Password protect all devices (Jim: I like, suggested stronger beyond default - like iOS defaults are weak)
- Don't remember wifi networks (Jim: Might not be top ten worthy, but I agree. For myself I say "use whatever, but with a VPN"; Todd: This probably falls under Don't trust untrusted sources or lack of secure configurations.)
- Use an inactivity timeout to lock devices (Jim: I like, we might want a generic device top ten item that covers this and others; Todd: Could be. I'm thinking what the vulnerability would be, and I would assume this is a remediation (like the item below) dealing with physical security.)
- Do not leave mobile devices unattended in public places (Jim: Yes!)
- Encrypt mobile devices (Jim: Yes! But they are doing that by default these days; Todd: ture, but I'm not sure, for instance, that my MacBook is, or that my SSD USB drive is...)
- Learn to recognize threats (Jim: Filed under dont click on stuff?; Yes! amoungst others. Of course, just the fact they are reading and learning our Top Ten might be the remediation for this.)
- Do not mindlessly reply to popup windows (Jim: Agreed, see threat recognition?)
- Review credit reports and online accounts (Jim: Credit monitoring? Todd: Absolutely!)
- Use personal firewall (Jim: OS level enough? Todd: I think so.)
- A point to consider: How, if at all, does this play into the IoT?
