Insufficient Authentication Controls

<aside> 🔴 Critical - High

</aside>

• No multifactor
• Bypassable multifactor / not setup properly
• No multifactor on VPN
• If no access, ask if they use it or not, if not tell them to use it

Weak Password Policy

<aside> 🔴 Critical - High

</aside>

• Identify
  • Weak password used
  • Public password policy
  • Password appear in a breach
• Password via OSINT
• Document with public password
• If no access, ask for it
  • 8 - 16 char min
  • Maximum of 64 char at least
  • Ability to use special char with require it
  • Restrict logical sequence and repetitive characters
    • 12345678
    • aaaaaaaa
  • Restrict common password and data breach passwords
    • Cloud AD often offer tools to check passwords with breach data
    • Avoid street name, company name, etc…

Default Credentials

<aside> 🔴 Critical - High

</aside>

• Always check for default credentials

Insufficient Patching

<aside> 🟠 High - Moderate

</aside>

• Identify old software or versions
  • e.g. old php version
• Inform about the risk
  • Remote code execution - denial of services
  • More or less likely to happens - proof with checker tools
  • Give remediation / mitigation options

Insufficient Encryption

<aside> 🟡 Moderate - Low

</aside>

• http website - sensible to manInTheMiddle
• Weak https encryption list - https://github.com/drwetter/testssl.sh.git

Information Disclosure

<aside> 🔴 Critical → Low

</aside>

• Email not found
• Error with stack trace
• mDNS information disclosure
• Server response header
• Verbose error message - error 404 / 403

Username Enumeration

<aside> 🟡 Moderate - Low

</aside>

• Forgot password
• Invalid Username instead of invalid username or password
• Email instead of a username or email

Open Mail Relays

<aside> 🟡 Moderate

</aside>

How to Test for Open Mail Relays - Black Hills Information Security

• Fishing
• Scamming

IKE Aggressive Mode

<aside> 🟢 Low

</aside>

• Potential risk
• Catch VPN pre-shared key
• Low risk of happening
• Detect by Nessus and IKE-scan

Unexpected Perimeter Services

<aside> 🔴 Critical → Low

</aside>

• Open ports not good facing the outside
  • Telnet
  • SSH
  • SMB
  • RDP

Insufficient Traffic Blocking

<aside> 🔵 Critical → Low - Informational

</aside>

• Should reduce the attack surface
  • If not international, should not open to all countries (especially those known to host botnet)
• Multiple connection trials

Undetected Malicious Activity

<aside> 🟠 High → Low

</aside>

• List undetected attacks and scans

Historical Account Compromises

<aside> 🟠 High

</aside>

• Avoid register with work email
• Password reuse

Default WebPage

<aside> 🟡 Moderate -Low

</aside>

• Tell about technologies
• Tell that the owner hide something ?