Change system default credentials
Summary
The organization must modify all default access credentials of embedded systems.
Description
Organizations usually keep default configurations of third-party products, since these may adapt to most environments where they are installed and facilitate the deployment to production. However, this practice may leave a default open gate for products and, in most cases, credentials within provider documentation, which can be easily found on the Internet. For this reason it is important to check all configurations before deployment and remove all default credentials.
References
- CAPEC-70. Try common usernames and passwords
- CAPEC-560. Use of known domain credentials
- CIS-4_7. Manage default accounts on enterprise assets and software
- CWE-1392. Use of Default Credentials
- CWE-1393. Use of Default Password
- CWE-1394. Use of Default Cryptographic Key
- NERCCIP-007-6_R5_4. System access control
- BIZEC-APP-07. Cross-client database access
- NYDFS-500_10. Cybersecurity personnel and intelligence
- MITRE-M1043. Credential access protection
- PADSS-3_1_2. Enforce the changing of all default application passwords for all accounts
- PADSS-6_1. The wireless technology must be implemented securely
- PADSS-10_2_3. Remote access to customer's payment applications must be implemented securely
- HITRUST-05_k. Addressing security in third party agreements
- HITRUST-09_f. Monitoring and review of third-party services
- OSSTMM3-10_5_3. Telecommunications security (access verification) - Authentication
- OSSTMM3-11_9_2. Data networks security - Common configuration errors
- WASC-W_15. Application misconfiguration
- NISTSSDF-PW_9_1. Configure software to have secure settings by default
- ISSAF-G_9_8. Network security - Firewalls (identify firewall architecture)
- ISSAF-Y_3_1. Database Security - Database services countermeasures
- PTES-5_5_3. Vulnerability analysis - Common/default passwords
- OWASPSCP-11. Database security
- BSAFSS-CF_1-4. Secure software installation and operation
- CWE25-276. Incorrect Default Permissions
- PCI-2_2_2. System components are configured and managed securely
- SIG-N_1_13. Network security
- SIG-U_1_2_5. Server security
- ASVS-2_5_4. Credential recovery
- ASVS-2_10_2. Service authentication
- CASA-2_10_2. Service Authentication
- SANS25-25. Incorrect Default Permissions
- NIST-PR_AA-01. Identities and credentials for authorized users, services, and hardware are managed by the organization
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
Supported In
This requirement is verified in following services
Essential Plan
Advanced Plan