142 – Change system default credentials

Summary

The organization must modify all default access credentials of embedded systems.

Description

Organizations usually keep default configurations of third-party products, since these may adapt to most environments where they are installed and facilitate the deployment to production. However, this practice may leave a default open gate for products and, in most cases, credentials within provider documentation, which can be easily found on the Internet. For this reason it is important to check all configurations before deployment and remove all default credentials.

Supported In

Essential: True

Advanced: True

References

• CAPEC-70. Try common usernames and passwords
• CAPEC-560. Use of known domain credentials
• CIS-4_7. Manage default accounts on enterprise assets and software
• CWE-1392. Use of Default Credentials
• CWE-1393. Use of Default Password
• CWE-1394. Use of Default Cryptographic Key
• NERCCIP-007-6_R5_4. System access control
• BIZEC-APP-07. Cross-client database access
• NYDFS-500_10. Cybersecurity personnel and intelligence
• MITRE-M1043. Credential access protection
• PADSS-3_1_2. Enforce the changing of all default application passwords for all accounts
• PADSS-6_1. The wireless technology must be implemented securely
• PADSS-10_2_3. Remote access to customer's payment applications must be implemented securely
• HITRUST-05_k. Addressing security in third party agreements
• HITRUST-09_f. Monitoring and review of third-party services
• OSSTMM3-10_5_3. Telecommunications security (access verification) - Authentication
• OSSTMM3-11_9_2. Data networks security - Common configuration errors
• WASC-W_15. Application misconfiguration
• NISTSSDF-PW_9_1. Configure software to have secure settings by default
• ISSAF-G_9_8. Network security - Firewalls (identify firewall architecture)
• ISSAF-Y_3_1. Database Security - Database services countermeasures
• PTES-5_5_3. Vulnerability analysis - Common/default passwords
• OWASPSCP-11. Database security
• BSAFSS-CF_1-4. Secure software installation and operation
• CWE25-276. Incorrect Default Permissions
• PCI-2_2_2. System components are configured and managed securely
• SIG-N_1_13. Network security
• SIG-U_1_2_5. Server security
• ASVS-2_5_4. Credential recovery
• ASVS-2_10_2. Service authentication
• CASA-2_10_2. Service Authentication
• SANS25-25. Incorrect Default Permissions
• NIST-PR_AA-01. Identities and credentials for authorized users, services, and hardware are managed by the organization

Weaknesses

• 041 – Enabled default credentials
• 056 – Anonymous connection

Last updated

2024/03/05