062 – Define standard configurations

Summary

The organization must define standard configurations that correct all known vulnerabilities. These configurations must also be consistent with industry standards.

Description

System configuration is essential when it comes to security issues. The system must follow the industry's standard configurations that prevent all known vulnerabilities. These settings also contribute to ensuring the ongoing confidentiality, integrity, availability and resilience of systems and services.

Supported In

Essential: True

Advanced: True

References

• BSIMM-SR3_3:_19. Use secure coding standards
• CAPEC-125. Flooding
• CAPEC-130. Excessive allocation
• CAPEC-151. Identity spoofing
• CAPEC-161. Infrastructure manipulation
• CAPEC-697. DHCP Spoofing
• CIS-4_1. Establish and maintain a secure configuration process
• CIS-4_2. Establish and maintain a secure configuration process for network infrastructure
• CIS-13_10. Perform application layer filtering
• GDPR-32_1b. Security of processing
• OWASP10-A4. Insecure design
• OWASP10-A5. Security misconfiguration
• SOC2-CC5_1. Control activities
• SOC2-CC5_2. Control activities
• AGILE-11. Best architectures, requirements, and designs
• NYSHIELD-5575_B_6. Personal and private information
• NYDFS-500_2. Cybersecurity program
• MITRE-M1015. Active directory configuration
• MITRE-M1016. Vulnerability scanning
• MITRE-M1024. Restrict registry permissions
• MITRE-M1028. Operating system configuration
• MITRE-M1042. Disable or remove feature or program
• MITRE-M1046. Boot integrity
• MITRE-M1057. Data loss prevention
• PDPA-9B_48E. Improper use of personal data
• POPIA-3A_16. Quality of information
• POPIA-3A_19. Security measures on integrity and confidentiality of personal information
• PDPO-S1_4. Security of personal data
• CMMC-AT_L2-3_2_1. Role-based risk awareness
• CMMC-CM_L2-3_4_2. Security configuration enforcement
• CMMC-RA_L2-3_11_2. Vulnerability scan
• CMMC-SC_L2-3_13_16. Data at rest
• HITRUST-10_d. Message integrity
• FEDRAMP-RA-5. Vulnerability scanning
• FEDRAMP-SA-10. Developer configuration management
• FEDRAMP-SC-28. Protection of information at rest
• ISO27002-8_9. Configuration management
• ISO27002-8_27. Secure system architecture and engineering principles
• IEC62443-RA-7_6. Network and security configuration settings
• WASSEC-6_2_3_1. Client-side attacks - Content spoofing
• WASSEC-6_2_3_6. Client-side attacks - Flash-related attack
• OSSTMM3-9_9_2. Wireless security (configuration verification) - Configuration controls
• OSSTMM3-11_7_2. Data networks security (controls verification) - Confidentiality
• OSSTMM3-11_7_3. Data networks security (controls verification) - Privacy
• OSSTMM3-11_7_4. Data networks security (controls verification) - Integrity
• OSSTMM3-11_9_1. Data networks security - Configuration controls
• WASC-A_26. HTTP request smuggling
• WASC-W_15. Application misconfiguration
• WASC-W_14. Server misconfiguration
• NISTSSDF-PW_1_3. Design software to meet security requirements and mitigate security risks
• NISTSSDF-PW_4_1. Reuse existing, well-secured software when feasible instead of duplicating functionality
• NISTSSDF-PW_6_2. Configure the compilation, interpreter, and build processes to improve executable security
• NISTSSDF-PW_9_1. Configure software to have secure settings by default
• NISTSSDF-RV_2_2. Assess, prioritize, and remediate vulnerabilities
• ISSAF-E_1. Network security - Switch security assessment
• ISSAF-F_2. Network security - Router security assessment (common issues assessment)
• ISSAF-F_5. Network security - Router security assessment (global countermeasures)
• PTES-7_3_1_6. Post exploitation - Network infrastructure analysis (ARP entries)
• PTES-7_4_4_1. Post Exploitation - Pillaging (user information on system)
• MVSP-2_3. Application design controls - Security Headers
• MVSP-3_3. Application implementation controls - Vulnerability prevention
• OWASPSCP-13. Memory management
• BSAFSS-TC_1-2. Developed software using security tools
• BSAFSS-TC_1-6. Developed software using security tools
• NIST800171-4_2. Establish and enforce security configuration settings for information technology products
• NIST800115-3_4. System configuration review
• SWIFTCSC-1_3. Virtualization or cloud platform protection
• OSAMM-SA. Security Architecture
• ASVS-13_1_5. Generic web service security
• ASVS-14_4_1. HTTP security headers
• ASVS-14_4_4. HTTP security headers
• ASVS-14_4_6. HTTP security headers
• C2M2-2_1_d. Reduce cybersecurity vulnerabilities
• C2M2-9_3_b. Implement IT and OT asset security for cybersecurity architecture
• C2M2-9_3_e. Implement IT and OT asset security for cybersecurity architecture
• C2M2-9_4_c. Implement software security for cybersecurity architecture
• C2M2-9_5_b. Implement data security for cybersecurity architecture
• PCI-2_2_6. Configure secure system parameters to prevent misuse
• SIG-I_1_3_2. Application security
• SIG-I_3_2_1. Application security
• SIG-U_1_2. Server security
• CWE-15. External control of system or configuration setting
• CWE-350. Reliance on reverse DNS resolution for a security-critical action
• CWE-444. Inconsistent interpretation of HTTP requests ("HTTP request smuggling")
• ASVS-12_3_4. File execution
• ASVS-13_2_5. RESTful web service
• ASVS-14_1_1. Build and deploy
• ASVS-14_1_4. Build and deploy
• ASVS-14_4_3. HTTP security headers
• ASVS-14_4_5. HTTP security headers
• ASVS-14_4_7. HTTP security headers
• ASVS-14_5_1. HTTP request header validation
• OWASPAPI-API3. Broken Object Property Level Authorization
• OWASPAPI-API6. Unrestricted Access to Sensitive Business Flows
• OWASPAPI-API8. Security Misconfiguration
• ISO27001-8_9. Configuration management
• ISO27001-8_27. Secure system architecture and engineering principles
• CASA-14_1_1. Build and Deploy
• CASA-14_1_4. Build and Deploy
• NIST-PR_DS-10. The confidentiality, integrity, and availability of data-in-use are protected
• NIST-PR_PS-06. Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle

Weaknesses

• 110 – HTTP request smuggling
• 111 – Out-of-bounds read
• 115 – Security controls bypass or absence
• 116 – XS-Leaks
• 131 – Insecure or unset HTTP headers - Strict Transport Security
• 132 – Insecure or unset HTTP headers - X-Content-Type-Options
• 134 – Insecure or unset HTTP headers - CORS
• 135 – Insecure or unset HTTP headers - X-XSS Protection
• 136 – Insecure or unset HTTP headers - Cache Control
• 137 – Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies
• 152 – Insecure or unset HTTP headers - X-Frame Options
• 153 – Insecure or unset HTTP headers - Accept
• 182 – Email spoofing
• 206 – Security controls bypass or absence - Anti hooking
• 207 – Security controls bypass or absence - SSLPinning
• 208 – Security controls bypass or absence - Antivirus
• 209 – Security controls bypass or absence - Emulator
• 210 – Security controls bypass or absence - Facial Recognition
• 212 – Security controls bypass or absence - Cloudflare
• 305 – Security controls bypass or absence - Data creation
• 329 – Insecure or unset HTTP headers - Content-Type
• 345 – Security controls bypass or absence - Session Invalidation
• 374 – Security controls bypass or absence - Debug Protection
• 375 – Security controls bypass or absence - Tampering Protection
• 376 – Security controls bypass or absence - Reversing Protection
• 392 – Security controls bypass or absence - Firewall
• 436 – Security controls bypass or absence - Fingerprint
• 440 – Insecure or unset HTTP headers - Permissions-Policy
• 043 – Insecure or unset HTTP headers - Content-Security-Policy
• 071 – Insecure or unset HTTP headers - Referrer-Policy
• 077 – ARP spoofing
• 084 – MDNS spoofing

Last updated

2024/03/05