Skip to main content

Transmit data using secure protocols

Requirement#

The transmission of sensitive information and the execution of sensitive functions must be performed through secure protocols.

Description#

A system can send information through a non-encrypted channel using insecure protocols. The use of these protocols makes it easier to perform a man-in-the-middle attack (MitM) to intercept and modify the information. Examples of such insecure protocols are HTTP, FTP, POP3 and Telnet.

Implementation#

  1. Deploy applications using HTTPS in the application server: When using this protocol, the channel used for the deployment of web applications is encrypted. For this, it is necessary to have certificates issued by a valid certifying entity.

  2. Use secure services instead of standard services: When you need to transmit sensitive information using services such as FTP and POP3, you can enable secure versions of each protocol or implement protocols with the same functions but having communication encryption such as SSH, FTPS, POP3S and TLS.

Attacks#

  1. An attacker with access to non-encrypted channels perform a man-in-the-middle (MitM) attack over the vulnerable assets in order to intercept, obtain and/or modify the transmitted information.

Attributes#

  • Layer: Resource layer
  • Asset: Information assets
  • Scope: Confidentiality
  • Phase: Operation
  • Type of control: Recommendation

References#