From d4dc4859a94441fe3dc7bf221a7995beed18cb2e Mon Sep 17 00:00:00 2001 From: Sebastian Wagner Date: Wed, 19 Jan 2022 14:52:28 +0100 Subject: [PATCH] Add weak access control to vulnerable system as proposed in https://github.com/enisaeu/Reference-Security-Incident-Taxonomy-Task-Force/pull/102 and discussed in the meeting 2021-05-26 --- working_copy/humanv1.md | 2 +- working_copy/machinev1 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/working_copy/humanv1.md b/working_copy/humanv1.md index fc4b2f8..eb868b0 100644 --- a/working_copy/humanv1.md +++ b/working_copy/humanv1.md @@ -49,7 +49,7 @@ Generated from [machine readable version](machinev1). Please **DO NOT** edit thi | Vulnerable | DDoS Amplifier | Publicly accessible services that can be abused for conducting DDoS reflection/amplification attacks, e.g., DNS open-resolvers or NTP servers with monlist enabled. | | Vulnerable | Potentially Unwanted Accessible Services | Potentially unwanted publicly accessible services, e.g., Telnet, RDP or VNC. | | Vulnerable | Information disclosure | Publicly accessible services potentially disclosing sensitive information, e.g., SNMP or Redis. | -| Vulnerable | Vulnerable System | A system which is vulnerable to certain attacks, e.g., misconfigured client proxy settings (such as WPAD), outdated operating system version, or cross-site scripting vulnerabilities. | +| Vulnerable | Vulnerable System | A system which is vulnerable to certain attacks, e.g., misconfigured client proxy settings (such as WPAD), outdated operating system version, cross-site scripting vulnerabilities or weak access control (missing password complexity and length controls, missing or poor authentication factors, presence of default account names/passwords, no Segregation of Duties, etc.). | | Other | Uncategorised | All incidents which don't fit in one of the given categories should be put into this class or the incident is not categorised. | | Other | Undetermined | The categorisation of the incident is unknown/undetermined. | | Test | Test | Meant for testing. | diff --git a/working_copy/machinev1 b/working_copy/machinev1 index 9ceccf4..b72d8cb 100644 --- a/working_copy/machinev1 +++ b/working_copy/machinev1 @@ -218,7 +218,7 @@ "value": "information-disclosure" }, { - "description": "A system which is vulnerable to certain attacks, e.g., misconfigured client proxy settings (such as WPAD), outdated operating system version, or cross-site scripting vulnerabilities.", + "description": "A system which is vulnerable to certain attacks, e.g., misconfigured client proxy settings (such as WPAD), outdated operating system version, cross-site scripting vulnerabilities or weak access control (missing password complexity and length controls, missing or poor authentication factors, presence of default account names/passwords, no Segregation of Duties, etc.).", "expanded": "Vulnerable System", "value": "vulnerable-system" }