4.2: Change Default Passwords

Sub-control 3.5 states that before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.

Asset Type Security Function Implementation Groups
Users Protect 1, 2, 3

Dependencies

  • Sub-control 2.4: Track Software Inventory Information

Inputs

  1. Inventory of Endpoints: The organization’s inventory of endpoints which utilize credentials, either at the OS level or at the application software level. Ideally, this includes software inventory from sub-control 2.4.

  2. Authoritative Source of Default Passwords: An authoritative source of known default passwords. Tenable has thousands of checks for known default passwords. Active and passive scanning can identify and report on the use/existence of default credentials.

  3. Password Policy Configuration: The organization’s defined password policy configuration.

Operations

  1. For each endpoint in I1, enumerate the available logins, including hashed credentials (M1). For each endpoint that was previously identified, create a list of user ids.

  2. For each endpoint in I1, generate password hashes for all relevant default passwords provided in I2 in accordance with the corresponding hashing procedures for the appropriate OS, application, etc. (including any applicable salting). The organization must identify a trusted resource that can provide a list of default passwords for each device on the organizations network.

  3. For each login, compare the password hash for that login to the default password hashes generated in the previous operation. Create a list containing any logins that have hashes that match default password hashes, including the endpoint to which the login corresponds and the default password and hash that matched (M3).

  4. For each endpoint, collect the applied password policy configuration (M5).

  5. For each endpoint, compare the password policy configuration to the organizationally defined password policy recommendations (including password length, complexity requirements, etc.). Create a list of endpoint password policies that adhere to the organizational policy (M7) and a list of endpoint password policies that deviate from the organizational policy (M9). Note where the deviations occur.

Measures

Measure Definition
M1 = List of logins for credentialed accounts A list of available logins for endpoints which utilized credentialed accounts. This can be derived from Operation 1.
M2 = Count of items in M1 A count of the total number of items identified in M1.
M3 = List of logins with a hash matching a default hash A list of enumerated logins with a password hash that matches a known default password hash. This can be derived from Operation 3.
M4 = Count of items in M3 A count of the total number of items in M3.
M5 = List of collected endpoint password policy configurations A list of the collected endpoint password policy configurations. This can be derived from Operation 4.
M6 = Count of items in M5 A count of the total number of items in M5.
M7 = List of matching password policy configurations A list of collected password policy configurations that match organizationally defined recommendations.
M8 = Count of items in M7 A count of the total number of items in M7.
M9 = List of unatching password policy configurations A list of collected password policy configurations that do not match organizationally defined recommendations.

Metrics

Default Password Usage

Metric Calculation
The percentage of credentials that have been changed from the default value. (M2 - M4) / M2

Password Policy Compliance

Metric Calculation
The percentage of collected password policies that comply with the organization’s password policies. If M6 = 0, then no endpoint password policy configurations were collected. Otherwise, the value of this metric is M8 / M6