This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Talk:Consumer Best Practices"

From OWASP
Jump to: navigation, search
(jims notes)
(New format: new section)
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
 +
(Todd: Most of these are mitigation actions and would need to be re-phrased as vulnerabilities)
 +
 
Consider where the following fits:
 
Consider where the following fits:
  
- Don't run unecessary services  (Jim: how can we make this consumer-accessable? Dont use unnecessary software or services?)
+
- Don't run unnecessary services  (Jim: how can we make this consumer-accessable? Dont use unnecessary software or services?; Todd: Yes, it would basically come down to, if you don't need a service or piece of software, don't run/install it. Think about not installing the yahoo toolbar, or running the web interface on your wifi, if you won't use them.)
  
 
Configuration
 
Configuration
Line 7: Line 9:
 
- Password protect all devices (Jim: I like, suggested stronger beyond default - like iOS defaults are weak)
 
- Password protect all devices (Jim: I like, suggested stronger beyond default - like iOS defaults are weak)
  
- Don't remember wifi networks (Jim: Might not be top ten worthy, but I agree. For myself I say "use whatever, but with a VPN")
+
- Don't remember wifi networks (Jim: Might not be top ten worthy, but I agree. For myself I say "use whatever, but with a VPN"; Todd: This probably falls under Don't trust untrusted sources or lack of secure configurations.)
  
- Use an inactivity timeout to lock devices (Jim: I like, we might want a generic device top ten item that covers this and others)
+
- Use an inactivity timeout to lock devices (Jim: I like, we might want a generic device top ten item that covers this and others; Todd: Could be. I'm thinking what the vulnerability would be, and I would assume this is a remediation (like the item below) dealing with physical security.)
  
 
- Do not leave mobile devices unattended in public places (Jim: Yes!)
 
- Do not leave mobile devices unattended in public places (Jim: Yes!)
  
- Encrypt mobile devices (Jim: Yes! But they are doing that by default these days)
+
- Encrypt mobile devices (Jim: Yes! But they are doing that by default these days; Todd: ture, but I'm not sure, for instance, that my MacBook is, or that my SSD USB drive is...)
  
- Learn to recognize threats (Jim: Filed under dont click on stuff?)
+
- Learn to recognize threats (Jim: Filed under dont click on stuff?; Yes! amoungst others. Of course, just the fact they are reading and learning our Top Ten might be the remediation for this.)
  
 
- Do not mindlessly reply to popup windows (Jim: Agreed, see threat recognition?)
 
- Do not mindlessly reply to popup windows (Jim: Agreed, see threat recognition?)
  
- Review credit reports and online accounts (Jim: Credit monitoring?)
+
- Review credit reports and online accounts (Jim: Credit monitoring? Todd: Absolutely!)
 
   
 
   
- Use personal firewall (Jim: OS level enough?)
+
- Use personal firewall (Jim: OS level enough? Todd: I think so.)
 +
 
 +
- A point to consider: How, if at all, does this play into the IoT?
 +
 
 +
== New format ==
 +
 
 +
I changed the format around a little.
 +
 
 +
For each vulnerability, I phrased it as a vulnerability. I added some sections to the first one to get feedback on if that is the direction we would like to go. If so, I will continue to add to the items.

Latest revision as of 05:10, 14 June 2016

(Todd: Most of these are mitigation actions and would need to be re-phrased as vulnerabilities)

Consider where the following fits:

- Don't run unnecessary services (Jim: how can we make this consumer-accessable? Dont use unnecessary software or services?; Todd: Yes, it would basically come down to, if you don't need a service or piece of software, don't run/install it. Think about not installing the yahoo toolbar, or running the web interface on your wifi, if you won't use them.)

Configuration

- Password protect all devices (Jim: I like, suggested stronger beyond default - like iOS defaults are weak)

- Don't remember wifi networks (Jim: Might not be top ten worthy, but I agree. For myself I say "use whatever, but with a VPN"; Todd: This probably falls under Don't trust untrusted sources or lack of secure configurations.)

- Use an inactivity timeout to lock devices (Jim: I like, we might want a generic device top ten item that covers this and others; Todd: Could be. I'm thinking what the vulnerability would be, and I would assume this is a remediation (like the item below) dealing with physical security.)

- Do not leave mobile devices unattended in public places (Jim: Yes!)

- Encrypt mobile devices (Jim: Yes! But they are doing that by default these days; Todd: ture, but I'm not sure, for instance, that my MacBook is, or that my SSD USB drive is...)

- Learn to recognize threats (Jim: Filed under dont click on stuff?; Yes! amoungst others. Of course, just the fact they are reading and learning our Top Ten might be the remediation for this.)

- Do not mindlessly reply to popup windows (Jim: Agreed, see threat recognition?)

- Review credit reports and online accounts (Jim: Credit monitoring? Todd: Absolutely!)

- Use personal firewall (Jim: OS level enough? Todd: I think so.)

- A point to consider: How, if at all, does this play into the IoT?

New format

I changed the format around a little.

For each vulnerability, I phrased it as a vulnerability. I added some sections to the first one to get feedback on if that is the direction we would like to go. If so, I will continue to add to the items.