The organization must modify all default access credentials of embedded systems.
Organizations usually keep default configurations of third-party products, since these may adapt to most environments where they are installed and facilitate the deployment to production. However, this practice may leave a default open gate for products and, in most cases, credentials within provider documentation, which can be easily found on the Internet. For this reason it is important to check all configurations before deployment and remove all default credentials.
Remove all default credentials.
Implement a mechanism to ensure only users with administrator privileges can access product consoles.
Create a robust credential policy to improve the security of all credentials in the organization.
The passwords must be changed every so often in case they are compromised.
Perform audits periodically to detect improper configurations or missing patches.
- Brute force attack.
- Information leakage: Technical.
- Layer: Business layer
- Asset: Access credentials
- Scope: Confidentiality
- Phase: Deployment
- Type of control: Recommendation
CAPEC-70: Try Common Usernames and Passwords: An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions.
CAPEC-560: Use of Known Domain Credentials: An adversary guesses or obtains (i.e., steals or purchases) legitimate credentials (e.g., userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.
CIS Controls. 4.2 Change Default Passwords: Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.
NERC CIP-007-6. B. Requirements and measures. R5.4: Change known default passwords, per Cyber Asset capability.
OWASP Top 10 A2:2017-Broken Authentication: Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.
OWASP-ASVS v4.0.1 V2.5 Credential Recovery Requirements.(2.5.4): Verify shared or default accounts are not present (e.g., "root", "admin", or "sa").
OWASP-ASVS v4.0.1 V2.10 Service Authentication Requirements.(2.10.2): Verify that if passwords are required, the credentials are not a default account.
OWASP-ASVS v4.0.1 V14.2 Dependency.(14.2.2): Verify that all unneeded features, documentation, samples, configurations are removed, such as sample applications, platform documentation, and default or example users.
PCI DSS v3.2.1 - Requirement 2.1.1: For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings.
PCI DSS v3.2.1 - Requirement 6.5.10: Address common coding vulnerabilities in software-development processes such as broken authentication and session management.