|
|
| Line 1: |
Line 1: |
| − | = Potential OWASP Consumer Top Ten = | + | = NOTICE = |
| | | | |
| − | Safe practices for consumers on the web
| + | We are working on this guide here. |
| | | | |
| − | == Weak Password Handling ==
| + | https://docs.google.com/document/d/1QerrLUYDaKElt29AsiUvE6V9C7mQFNV3zGae77180R4/edit?usp=sharing |
| − | '''Description:'''
| |
| − | Passwords are the most common way to authenticate to systems, applications, services, etc. Authentication is how a person or system proves their identity. Three methods of authentications are: provide something you know, something you have, or something you are. Passwords fulfill the first condition, something you know. People and systems authenticate by providing something only they should know, therefore proving their identity. Weak password handling vulnerabilities are weaknesses in the handling, storage, and use of passwords.
| |
| | | | |
| − | '''Threats:'''
| + | Please add your comments there! We will integrate our work back into this wiki page when done with the initial version. |
| − | The exposure of passwords through mishandling or improper storage could allow discovery and use by a third party.
| |
| | | | |
| − | '''Impact:'''
| + | * jim.manico@owasp.org |
| − | Weak password handling can result in the unauthorized access and compromise of data or systems.
| + | * pax@grayknightsecurity.com |
| − | | + | * todd@grayknightsecurity.com |
| − | '''Recommendations:'''
| |
| − | * Use Multi-factor Authentication, especially on important accounts
| |
| − | * Use a Password Manager
| |
| − | * Use Strong Passwords
| |
| − | * Avoid using the same password across different accounts
| |
| − | * Do not answer security questions with easily identifiable or enumerable answers
| |
| − | * Do not allow browsers to store passwords
| |
| − | * Do not share your passwords
| |
| − | * Change default passwords | |
| − | | |
| − | ==Information Disclosure/Sensitive Data Exposure==
| |
| − | '''Description:'''
| |
| − | Information disclosure vulnerabilities are when...
| |
| − | | |
| − | '''Threats:'''
| |
| − | Information and data can be exposed when...
| |
| − | | |
| − | Include: Social media, exif data in documents or pictures, geo locations, etc.
| |
| − | | |
| − | '''Impact:'''
| |
| − | The disclosure of personal information can...
| |
| − | | |
| − | '''Recommendations:'''
| |
| − | * Be aware of the information being posted in public forums
| |
| − | * Understand "metadata" in electronic documents, images and files
| |
| − | * Understand the implications of broadcasting your location, even if accidently
| |
| − | | |
| − | ==Trusting Untrusted Sources==
| |
| − | '''Description'''
| |
| − | | |
| − | '''Threats'''
| |
| − | | |
| − | '''Impact'''
| |
| − | | |
| − | '''Recommendations'''
| |
| − | | |
| − | Notes:
| |
| − | * Untrusted Sources
| |
| − | * Untrusted WiFi, computers, or email
| |
| − | * Downloading files from untrusted sources
| |
| − | * Clicking on links from unknown or unverified sources
| |
| − | * Review credit reports
| |
| − | * Review unknown uses of online accounts
| |
| − | * Subscribe to a credit monitoring service
| |
| − | * Freeze credit
| |
| − | | |
| − | ==Lack of Proper Encryption in Transit==
| |
| − | '''Description'''
| |
| − | | |
| − | '''Threats'''
| |
| − | | |
| − | '''Impact'''
| |
| − | | |
| − | '''Recommendations'''
| |
| − | | |
| − | Notes:
| |
| − | * Do not ignore SSL warnings
| |
| − | * Use Encryption
| |
| − | | |
| − | ==Lack of Proper Encryption at Rest==
| |
| − | '''Description'''
| |
| − | | |
| − | '''Threats'''
| |
| − | | |
| − | '''Impact'''
| |
| − | | |
| − | '''Recommendations'''
| |
| − | | |
| − | Notes:
| |
| − | * Encrypt PII
| |
| − | * Don't store sensitive information unencrypted
| |
| − | * Includes physical info - do not write down passwords, shred sensitive documents, protect your SSN, etc. | |
| − | | |
| − | ==Using Components with Known Vulnerabilities==
| |
| − | '''Description'''
| |
| − | | |
| − | '''Threats'''
| |
| − | | |
| − | '''Impact'''
| |
| − | | |
| − | '''Recommendations'''
| |
| − | | |
| − | Notes:
| |
| − | * Patch
| |
| − | | |
| − | ==Lack of Secure Configuration==
| |
| − | '''Description'''
| |
| − | | |
| − | '''Threats'''
| |
| − | | |
| − | '''Impact'''
| |
| − | | |
| − | '''Recommendations'''
| |
| − | | |
| − | Notes:
| |
| − | * Configure application settings for security
| |
| − | * Do not configure devices to automatically connect to wifi access points
| |
| − | | |
| − | ==Running Unnecessary Software or Services==
| |
| − | '''Description'''
| |
| − | | |
| − | '''Threats'''
| |
| − | | |
| − | '''Impact'''
| |
| − | | |
| − | '''Recommendations'''
| |
| − | | |
| − | Notes:
| |
| − | * Do not install unneeded software
| |
| − | * Remove software not in use
| |
| − | * Do not enable services you don't use
| |
| − | | |
| − | ==Poor Physical Security==
| |
| − | '''Description'''
| |
| − | | |
| − | '''Threats'''
| |
| − | | |
| − | '''Impact'''
| |
| − | | |
| − | '''Recommendations'''
| |
| − | | |
| − | Notes:
| |
| − | * Encrypt devices and drives
| |
| − | * Do not leave mobile devices unattended
| |
| − | * Use an inactivity lockout
| |
| − | * Password protect all devices
| |
| − | | |
| − | ==Lack of Proper Defense==
| |
| − | '''Description'''
| |
| − | | |
| − | '''Threats'''
| |
| − | | |
| − | '''Impact'''
| |
| − | | |
| − | '''Recommendations'''
| |
| − | | |
| − | Notes:
| |
| − | * Use Personal Firewalls
| |
| − | * Properly Secure Wireless Access Points
| |
| − | * Use Intrusion Detection Services
| |
| − | * Use anti-virus
| |
| − | * Backup important data
| |
| − | * Learn to recognize threats?
| |
Please add your comments there! We will integrate our work back into this wiki page when done with the initial version.
