Skip to content

Commit

Permalink
Update index.md
Browse files Browse the repository at this point in the history
  • Loading branch information
@andreashappe
andreashappe authored Aug 29, 2024
1 parent 665d63a commit e2a42a7
Showing 1 changed file with 23 additions and 5 deletions.
28 changes: 23 additions & 5 deletions docs/potential-top-10/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,15 +23,33 @@ We're currently collecting potential candiates within [the repo](/docs/potential

- maybe we should get to a more conceptional level with the Top 10
- e.g., "Insufficient Network Separation" is rather a problem with a mitigation and not the root cause vulnerability
- I believe that those high-level problems will be highly inter-related.
- controls/countermeasures: maybe add a separate directory and link those (if they are mentioned multiple times) to reduce duplication

- maybe those are better ideas (and each of them would have a list of examples)
- fear of overly communicative devices?
- merge this with `unexpected attack surface` or maybe split some things from there over here
- maybe split between architecture and device?
- devices that cannot be updated
- examples: due to availability concerns, vendor not providing updates, devices without update capabilities
- too large blast zone
- unauthenticated/unauthorized communication without integrity protection
- depending upon physical security
- devices with known security vulnerabilities
- devices with (known) security vulnerabilities
- related: device cannot be updated
- missing vulnerability management
- missing patch management
- over-dependence upon / defect mitigations
- depending upon physical security
- invalid air-gapping, see stuxnet
- too large blast zone
- opposed to defense-in-depth/zero-trust
- unauthenticated/unauthorized communication without integrity protection
- unexpected attack surface
- remediations are not a `get out of jail free` card and impose limitations and maintenance burden
- examples: stuxnet
- devices with additional unknown services (features, management, backdoors, etc.)
- shadow infrastructure / unknown devices
- maintenance access
- Lax access controls
- on device/service-level
- on physical level

I believe that those high-level problems will be highly inter-related.
I would like to add security-by-obscurity prefered by vendors also somewhere.

0 comments on commit e2a42a7

Please sign in to comment.