Top 5 most common cyber non-conformities
By conducting testing and certification projects, we learn a lot, including which aspects contribute to a fast turnaround time of projects, but also which non-conformities are relatively common. Therefore, below is an overview of the most common non-conformities. Make sure they don’t happen to you!
- 1
Default passwords/easy generation mechanism
Default passwords used across many devices are very common. However, many standards and legislations are now prohibiting their use, because they are often being left unchanged. Alternatives include mechanisms that force the user to set a strong password before use or the generation of secure, unique per device, passwords.
- 2
Insufficient encryption
With many hackers trying to eavesdrop on connections it’s not surprising that encryption is one of the key focusses of testing. While the use of encryption is not always easy to implement, it’s vital the risks of unencrypted communication are sufficiently evaluated and most of the time this means that connections become encrypted.
- 3
No support period
When a customer buys a product they expect it to be supported with feature, but also security updates. To ensure customers can expect their product to be secure up until a certain date without it being an indefinite period that forces the manufacturer to keep publishing updates, it is critical to define a support period. This date is almost always the minimal date. Of course, you can always choose to support your products beyond that date.
- 4
(In)secure updates
Updating a system is not usually an easy feat, especially with more and more firmware updates going over the air. To ensure the safety of an update mechanism the device has to prove the authenticity and integrity of the update before installing it. While there are many ways to achieve this - like a secure bootloader, checksums and signing mechanisms - it is an often overlooked requirement.
- 5
Active debug ports
Engineers require debug ports, but these also provide an easy entry point for hackers to take control of a system and learn to automate attacks on others. Many debug ports allow hackers to gather information about the device's firmware or uncover secrets such as personal data or cryptographic keys. While disabling debug ports is always the best option, it might not always be feasible. In such cases, implementing mitigating measures like obfuscation can help enhance your security.