Transmit data using secure protocols
Summary
The transmission of sensitive information and the execution of sensitive functions must be performed through secure protocols.
Description
A system can send information through a non-encrypted channel using insecure protocols. The use of these protocols makes it easier to perform a man-in-the-middle attack (MitM) to intercept and modify the information. Examples of such insecure protocols are HTTP, FTP, POP3 and Telnet.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🟢 |
| Advanced | 🟢 |
References
- CAPEC™-12. Choosing message identifier
- CAPEC™-31. Accessing/Intercepting/Modifying HTTP cookies
- CAPEC™-94. Adversary in the middle (AiTM)
- CAPEC™-117. Interception
- CAPEC™-148. Content spoofing
- CAPEC™-216. Communication channel manipulation
- CAPEC™-594. Traffic injection
- CIS-3_10. Encrypt sensitive data in transit
- CIS-6_4. Require MFA for remote network access
- CIS-6_5. Require MFA for administrative access
- CWE™-200. Exposure of sensitive information to an unauthorized actor
- CWE™-311. Missing encryption of sensitive data
- CWE™-319. Cleartext transmission of sensitive information
- CWE™-523. Unprotected transport of credentials
- ePrivacy Directive-4_1a. Security of processing
- NERC CIP-005-5_R2_2. Interactive remote access management
- NERC CIP-011-2_R1_2. Information protection
- SOC2®-CC6_7. Logical and physical access controls
- CERT-J-IDS14-J. Do not trust the contents of hidden form fields
- CERT-J-MSC00-J. Use SSLSocket rather than Socket for secure data exchange
- NY SHIELD Act-5575_B_6. Personal and private information
- PA-DSS-2_5_2. Secure cryptographic key distribution
- PA-DSS-3_3_1. Use strong cryptography to render all payment application passwords unreadable during transmission
- PA-DSS-5_2_4. Insecure communications
- PA-DSS-6_1. The wireless technology must be implemented securely
- PA-DSS-6_2. For wireless technology, implement strong encryption for authentication and transmission
- PA-DSS-11_1. Use of strong cryptography and security protocols to safeguard sensitive cardholder data during transmission
- SANS 25-18. Use of hard-coded credentials
- POPIA-9_72. Transfers of personal information outside Republic
- PDPO-S1_4. Security of personal data
- CMMC-AC_L2-3_1_13. Remote access confidentiality
- CMMC-MP_L2-3_8_5. Media accountability
- CMMC-SC_L2-3_13_8. Data in transit
- HITRUST CSF-01_y. Teleworking
- HITRUST CSF-06_d. Data protection and privacy of covered information
- HITRUST CSF-09_m. Network controls
- FedRAMP-CA-3. System interconnections
- FedRAMP-MP-5. Media transport
- FedRAMP-SC-8. Transmission confidentiality and integrity
- ISA/IEC 62443-CR-3_1-RE_1. Communication authentication
- WASSEC-1_1. Transport support
- OSSTMM3-9_2_2. Wireless security (logistics) - Communications
- WASC-A_30. Mail command injection
- WASC-W_04. Insufficient transport layer protection
- ISSAF-F_5_2. Network security - Router security assessment (limit telnet)
- ISSAF-G_15. Network security - Firewalls (compromise remote users/sites)
- ISSAF-H_14_17. Network security - Intrusion detection (detection engine)
- ISSAF-H_16_5. Network security - Intrusion detection (logging systems)
- ISSAF-L_4_5_6. Network security - WLAN security (exploitation and attacks)
- ISSAF-T_10_1. Web application assessment – Attack on secure HTTP
- ISSAF-Y_2. Database Security - Oracle security assessment
- PTES-3_6_1_3_2. External footprinting - Active footprinting (banner grabbing)
- PTES-6_7_4. Exploitation - Zero day angle (traffic analysis)
- PTES-7_4_4_2. Post Exploitation - Pillaging (user information on web browsers)
- OWASP SCP-9. Communication security
- BSAFSS-SM_3-2. Supply chain data is protected
- BSAFSS-VM_3-2. Vulnerability management
- NIST 800-115-3_5. Network sniffing
- NIST 800-115-4_4. Wireless scanning
- NIST 800-115-7_4_3. Data transmission
- SWIFT CSCF-2_1. Internal data flow security
- SWIFT CSCF-2_6. Operator session confidentiality and integrity
- OWASP ASVS-1_9_1. Communications architecture
- OWASP ASVS-9_2_2. Server communication security
- C2M2-9_5_c. Implement data security for cybersecurity architecture
- PCI DSS-3_4_2. Use secure remote-access technologies
- PCI DSS-4_2_1. Strong cryptography during transmission
- PCI DSS-9_4_3. Media is secured and tracked when transported
- SIG Lite-SL_78. Are applications used to transmit, process or store scoped data?
- SIG Lite-SL_160. Do agreements with third parties who have access or potential access to scoped data, address confidentiality, audit, security, and privacy, including but not limited to incident response, monitoring, data sharing and secure disposal of scoped data?
- SIG Core-D_4_4_4. Asset and information management
- SIG Core-D_6_1. Asset and information management
- SIG Core-H_3_2. Access control
- SIG Core-U_1_8_1. Server security
- OWASP ASVS-6_2_1. Algorithms
- OWASP ASVS-6_2_7. Algorithms
- OWASP ASVS-9_1_2. Client communication security
- OWASP ASVS-13_2_6. RESTful web service
- OWASP API Security Top 10-API3. Broken Object Property Level Authorization
- OWASP API Security Top 10-API10. Unsafe Consumption of APIs
- CASA-1_9_1. Communications Architecture
- CASA-2_2_5. General Authenticator Security
- CASA-6_2_7. Algorithms
- CASA-9_1_2. Client Communication Security
- Resolution SB 2021 2126-Art_26_11_b. Information Security
- Resolution SB 2021 2126-Art_27_3. Security in Electronic Channels
- Resolution SB 2021 2126-Art_27_6. Security in Electronic Channels
- Resolution SB 2021 2126-Art_29_2. Security in Electronic Channels - Points of Sale (POS and PIN Pad)
- Resolution SB 2021 2126-Art_30_1. Security in Electronic Channels - Digital Banking
- OWASP MASVS-NETWORK-1. The app secures all network traffic according to the current best practices
- OWASP MASVS-PRIVACY-1. The app minimizes access to sensitive data and resources
- CWE TOP 25-798. Use of hard-coded credentials
- NIST CSF-PR_DS-02. The confidentiality, integrity, and availability of data-in-transit are protected
Vulnerabilities
- 016.Insecure encryption algorithm - SSL/TLS
- 017.Sensitive information sent insecurely
- 022.Use of an insecure channel
- 025.Call interception
- 030.Sensitive information sent via URL parameters
- 052.Insecure encryption algorithm
- 092.Insecure encryption algorithm - Anonymous cipher suites
- 094.Insecure encryption algorithm - Cipher Block Chaining
- 131.Insecure or unset HTTP headers - Strict Transport Security
- 133.Insecure encryption algorithm - Perfect Forward Secrecy
- 147.Insecure encryption algorithm - SSLContext
- 148.Use of an insecure channel - FTP
- 149.Use of an insecure channel - SMTP
- 150.Use of an insecure channel - useSslProtocol()
- 151.Use of an insecure channel - Telnet
- 276.Sensitive information sent via URL parameters - Session
- 281.Use of an insecure channel - Cloud Infrastructure
- 332.Use of insecure channel - Source code
- 372.Use of an insecure channel - HTTP
- 373.Use of an insecure channel - Oracle Database
- 411.Insecure encryption algorithm - Default encryption
- 427.Use of an insecure channel - Docker
- 442.SMTP header injection
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.