Networks
Verify sub-domain names
Summary The system should regularly check DNS names and sub-domain names in use by the application for expiration or change. This helps protect applications from the effects of sub-domain takeover attacks. Description The primary purpose behind this ...
Segment the organization network
Summary The organization network must be segmented. Description By segmenting the network, the organizations can minimize the attack surface. Attackers have limited visibility and access. This is a greater challenge for them, for example, to make ...
Filter website content
Summary The organization must filter the content of websites accessed from a location belonging to the same entity (Output Proxy). Description This requirement allows organizations to manage and control internet usage, protect against threats, and ...
Access based on user credentials
Summary Physical access to the network for users must be assigned based on organizational user credentials (e.g., NAC 802.1x). Description Adopting NAC 802.1x protects against unauthorized devices that try to connect to the network. By associating ...
Allow access only to the necessary ports
Summary Network segments and servers with applications or content must allow access only to the necessary ports. Description Unnecessary open ports increase the likelihood of exposure to exploits and attacks targeting specific services or ...
Change SSID name
Summary The organization must change the factory default name of the wireless network SSID. Description An attacker can take advantage of default SSIDs because they are well-known and easy to find. They may use this information to target networks ...
Restrict network access
Summary The access to private wireless networks must be restricted through user credentials and authorized MAC addresses. Description When the restriction access through user credentials and MAC addresses is applied, it helps to protect against ...
Configure key encryption
Summary The organization must prefer the use of WPA2 Personal or WPA2 Enterprise (802.1x) key encryption methods. Description WPA2 (Wi-Fi Protected Access 2) is a significant improvement over its predecessor, WPA. WPA2 employs stronger encryption ...
Change access point IP
Summary Access points must not use the factory-set IP address. Description This requirement refers to the fact that factory-set IP addresses are well-known, publicly available and documented by manufacturers. If access points use these default IP ...
Manage access points
Summary The management of wireless access points must be enabled for only one of the equipment's physical ports. Description Limiting the management interface to a specific physical port contributes to a more granula access control. Access ...
Locate access points
Summary The access points must be placed in strategic locations, allowing the network signal to reach only the authorized facilities. Description When access points are properly placed help to minimize signal leakage beyond the intended coverage ...
SSID without dictionary words
Summary The name of the wireless SSID must not contain dictionary words. Description If an organization is using common dictionary words in the SSID makes it easier for attackers to predict and potentially guess the name of the wireless network. ...
Hide SSID on private networks
Summary The private networks must disable the disclosure of the SSID (Service Set Identifier). Description When SSID broadcasting is enabled, the network name visible to anyone within range of the Wi-Fi signal. Disabling SSID broadcast reduces the ...