181 – Transmit data using secure protocols

Summary

The transmission of sensitive information and the execution of sensitive functions must be performed through secure protocols.

Description

A system can send information through a non-encrypted channel using insecure protocols. The use of these protocols makes it easier to perform a man-in-the-middle attack (MitM) to intercept and modify the information. Examples of such insecure protocols are HTTP, FTP, POP3 and Telnet.

Supported In

Essential: True

Advanced: True

References

• CAPEC-12. Choosing message identifier
• CAPEC-31. Accessing/Intercepting/Modifying HTTP cookies
• CAPEC-94. Adversary in the middle (AiTM)
• CAPEC-117. Interception
• CAPEC-148. Content spoofing
• CAPEC-216. Communication channel manipulation
• CAPEC-594. Traffic injection
• CIS-3_10. Encrypt sensitive data in transit
• CIS-6_4. Require MFA for remote network access
• CIS-6_5. Require MFA for administrative access
• CWE-200. Exposure of sensitive information to an unauthorized actor
• CWE-311. Missing encryption of sensitive data
• CWE-319. Cleartext transmission of sensitive information
• CWE-523. Unprotected transport of credentials
• EPRIVACY-4_1a. Security of processing
• NERCCIP-005-5_R2_2. Interactive remote access management
• NERCCIP-011-2_R1_2. Information protection
• SOC2-CC6_7. Logical and physical access controls
• CERTJ-IDS14-J. Do not trust the contents of hidden form fields
• CERTJ-MSC00-J. Use SSLSocket rather than Socket for secure data exchange
• NYSHIELD-5575_B_6. Personal and private information
• PADSS-2_5_2. Secure cryptographic key distribution
• PADSS-3_3_1. Use strong cryptography to render all payment application passwords unreadable during transmission
• PADSS-5_2_4. Insecure communications
• PADSS-6_1. The wireless technology must be implemented securely
• PADSS-6_2. For wireless technology, implement strong encryption for authentication and transmission
• PADSS-11_1. Use of strong cryptography and security protocols to safeguard sensitive cardholder data during transmission
• SANS25-18. Use of hard-coded credentials
• POPIA-9_72. Transfers of personal information outside Republic
• PDPO-S1_4. Security of personal data
• CMMC-AC_L2-3_1_13. Remote access confidentiality
• CMMC-MP_L2-3_8_5. Media accountability
• CMMC-SC_L2-3_13_8. Data in transit
• HITRUST-01_y. Teleworking
• HITRUST-06_d. Data protection and privacy of covered information
• HITRUST-09_m. Network controls
• FEDRAMP-CA-3. System interconnections
• FEDRAMP-MP-5. Media transport
• FEDRAMP-SC-8. Transmission confidentiality and integrity
• IEC62443-CR-3_1-RE_1. Communication authentication
• WASSEC-1_1. Transport support
• OSSTMM3-9_2_2. Wireless security (logistics) - Communications
• WASC-A_30. Mail command injection
• WASC-W_04. Insufficient transport layer protection
• ISSAF-F_5_2. Network security - Router security assessment (limit telnet)
• ISSAF-G_15. Network security - Firewalls (compromise remote users/sites)
• ISSAF-H_14_17. Network security - Intrusion detection (detection engine)
• ISSAF-H_16_5. Network security - Intrusion detection (logging systems)
• ISSAF-L_4_5_6. Network security - WLAN security (exploitation and attacks)
• ISSAF-T_10_1. Web application assessment – Attack on secure HTTP
• ISSAF-Y_2. Database Security - Oracle security assessment
• PTES-3_6_1_3_2. External footprinting - Active footprinting (banner grabbing)
• PTES-6_7_4. Exploitation - Zero day angle (traffic analysis)
• PTES-7_4_4_2. Post Exploitation - Pillaging (user information on web browsers)
• OWASPSCP-9. Communication security
• BSAFSS-SM_3-2. Supply chain data is protected
• BSAFSS-VM_3-2. Vulnerability management
• NIST800115-3_5. Network sniffing
• NIST800115-4_4. Wireless scanning
• NIST800115-7_4_3. Data transmission
• SWIFTCSC-2_1. Internal data flow security
• SWIFTCSC-2_6. Operator session confidentiality and integrity
• ASVS-1_9_1. Communications architecture
• ASVS-9_2_2. Server communication security
• C2M2-9_5_c. Implement data security for cybersecurity architecture
• PCI-3_4_2. Use secure remote-access technologies
• PCI-4_2_1. Strong cryptography during transmission
• PCI-9_4_3. Media is secured and tracked when transported
• SIGLITE-SL_78. Are applications used to transmit, process or store scoped data?
• SIGLITE-SL_160. Do agreements with third parties who have access or potential access to scoped data, address confidentiality, audit, security, and privacy, including but not limited to incident response, monitoring, data sharing and secure disposal of scoped data?
• SIG-D_4_4_4. Asset and information management
• SIG-D_6_1. Asset and information management
• SIG-H_3_2. Access control
• SIG-U_1_8_1. Server security
• ASVS-6_2_1. Algorithms
• ASVS-6_2_7. Algorithms
• ASVS-9_1_2. Client communication security
• ASVS-13_2_6. RESTful web service
• OWASPAPI-API3. Broken Object Property Level Authorization
• OWASPAPI-API10. Unsafe Consumption of APIs
• CASA-1_9_1. Communications Architecture
• CASA-2_2_5. General Authenticator Security
• CASA-6_2_7. Algorithms
• CASA-9_1_2. Client Communication Security
• RESOLSB-Art_26_11_b. Information Security
• RESOLSB-Art_27_3. Security in Electronic Channels
• RESOLSB-Art_27_6. Security in Electronic Channels
• RESOLSB-Art_29_2. Security in Electronic Channels - Points of Sale (POS and PIN Pad)
• RESOLSB-Art_30_1. Security in Electronic Channels - Digital Banking
• OWASPMASVS-NETWORK-1. The app secures all network traffic according to the current best practices
• OWASPMASVS-PRIVACY-1. The app minimizes access to sensitive data and resources
• CWE25-798. Use of hard-coded credentials
• NIST-PR_DS-02. The confidentiality, integrity, and availability of data-in-transit are protected

Weaknesses

• 131 – Insecure or unset HTTP headers - Strict Transport Security
• 133 – Insecure encryption algorithm - Perfect Forward Secrecy
• 147 – Insecure encryption algorithm - SSLContext
• 148 – Use of an insecure channel - FTP
• 149 – Use of an insecure channel - SMTP
• 150 – Use of an insecure channel - useSslProtocol()
• 151 – Use of an insecure channel - Telnet
• 276 – Sensitive information sent via URL parameters - Session
• 281 – Use of an insecure channel - Cloud Infrastructure
• 332 – Use of insecure channel - Source code
• 372 – Use of an insecure channel - HTTP
• 373 – Use of an insecure channel - Oracle Database
• 411 – Insecure encryption algorithm - Default encryption
• 427 – Use of an insecure channel - Docker
• 442 – SMTP header injection
• 016 – Insecure encryption algorithm - SSL/TLS
• 017 – Sensitive information sent insecurely
• 022 – Use of an insecure channel
• 025 – Call interception
• 030 – Sensitive information sent via URL parameters
• 052 – Insecure encryption algorithm
• 092 – Insecure encryption algorithm - Anonymous cipher suites
• 094 – Insecure encryption algorithm - Cipher Block Chaining

Last updated

2024/03/05