Change system default credentials
Summary
The organization must modify all default access credentials of embedded systems.
Description
Organizations usually keep default configurations of third-party products, since these may adapt to most environments where they are installed and facilitate the deployment to production. However, this practice may leave a default open gate for products and, in most cases, credentials within provider documentation, which can be easily found on the Internet. For this reason it is important to check all configurations before deployment and remove all default credentials.
Supported In
This requirement is verified in following services
Plan | Supported |
---|---|
Essential | 🟢 |
Advanced | 🟢 |
References
- CAPEC™-70. Try common usernames and passwords
- CAPEC™-560. Use of known domain credentials
- CIS-4_7. Manage default accounts on enterprise assets and software
- CWE™-1392. Use of Default Credentials
- CWE™-1393. Use of Default Password
- CWE™-1394. Use of Default Cryptographic Key
- NERC CIP-007-6_R5_4. System access control
- BIZEC-APP-APP-07. Cross-client database access
- NYDFS-500_10. Cybersecurity personnel and intelligence
- MITRE ATT&CK®-M1043. Credential access protection
- PA-DSS-3_1_2. Enforce the changing of all default application passwords for all accounts
- PA-DSS-6_1. The wireless technology must be implemented securely
- PA-DSS-10_2_3. Remote access to customer's payment applications must be implemented securely
- HITRUST CSF-05_k. Addressing security in third party agreements
- HITRUST CSF-09_f. Monitoring and review of third-party services
- OSSTMM3-10_5_3. Telecommunications security (access verification) - Authentication
- OSSTMM3-11_9_2. Data networks security - Common configuration errors
- WASC-W_15. Application misconfiguration
- NIST SSDF-PW_9_1. Configure software to have secure settings by default
- ISSAF-G_9_8. Network security - Firewalls (identify firewall architecture)
- ISSAF-Y_3_1. Database Security - Database services countermeasures
- PTES-5_5_3. Vulnerability analysis - Common/default passwords
- OWASP SCP-11. Database security
- BSAFSS-CF_1-4. Secure software installation and operation
- CWE TOP 25-276. Incorrect Default Permissions
- PCI DSS-2_2_2. System components are configured and managed securely
- SIG Core-N_1_13. Network security
- SIG Core-U_1_2_5. Server security
- OWASP ASVS-2_5_4. Credential recovery
- OWASP ASVS-2_10_2. Service authentication
- CASA-2_10_2. Service Authentication
- SANS 25-25. Incorrect Default Permissions
- NIST CSF-PR_AA-01. Identities and credentials for authorized users, services, and hardware are managed by the organization
Vulnerabilities
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.