Skip to main content

Change system default credentials

Requirement#

The organization must modify all default access credentials of embedded systems.

Description#

Organizations usually keep default configurations of third-party products, since these may adapt to most environments where they are installed and facilitate the deployment to production. However, this practice may leave a default open gate for products and, in most cases, credentials within provider documentation, which can be easily found on the Internet. For this reason it is important to check all configurations before deployment and remove all default credentials.

Implementation#

  1. Remove all default credentials.

  2. Implement a mechanism to ensure only users with administrator privileges can access product consoles.

  3. Create a robust credential policy to improve the security of all credentials in the organization.

  4. The passwords must be changed every so often in case they are compromised.

  5. Perform audits periodically to detect improper configurations or missing patches.

Attacks#

  1. Brute force attack.
  2. Information leakage: Technical.

Attributes#

  1. Layer: Business layer
  2. Asset: Access credentials
  3. Scope: Confidentiality
  4. Phase: Deployment
  5. Type of control: Recommendation

References#