Consumer Best Practices

= Potential OWASP Consumer Top Ten =

Safe practices for consumers on the web

Weak Password Handling
Description: Passwords are the most common way to authenticate to systems, applications, services, etc. Authentication is how a person or system proves their identity. Three methods of authentications are: provide something you know, something you have, or something you are. Passwords fulfill the first condition, something you know. People and systems authenticate by providing something only they should know, therefore proving their identity. Weak password handling vulnerabilities are weaknesses in the handling, storage, and use of passwords.

Threats: The exposure of passwords through mishandling or improper storage could allow discovery and use by a third party.

Impact: Weak password handling can result in the unauthorized access and compromise of data or systems.

Recommendations:
 * Use Multi-factor Authentication, especially on important accounts
 * Use a Password Manager
 * Use Strong Passwords
 * Avoid using the same password across different accounts
 * Do not answer security questions with easily identifiable or enumerable answers
 * Do not allow browsers to store passwords
 * Do not share your passwords
 * Change default passwords

Information Disclosure/Sensitive Data Exposure
Description: Information disclosure vulnerabilities are when...

Threats: Information and data can be exposed when...

Include: Social media, exif data in documents or pictures, geo locations, etc.

Impact: The disclosure of personal information can...

Recommendations:
 * Be aware of the information being posted in public forums
 * Understand "metadata" in electronic documents, images and files
 * Understand the implications of broadcasting your location, even if accidently

Trusting Untrusted Sources
Description

Threats

Impact

Recommendations

Notes:
 * Untrusted Sources
 * Untrusted WiFi, computers, or email
 * Downloading files from untrusted sources
 * Clicking on links from unknown or unverified sources
 * Review credit reports
 * Review unknown uses of online accounts
 * Subscribe to a credit monitoring service
 * Freeze credit

Lack of Proper Encryption in Transit
Description

Threats

Impact

Recommendations

Notes:
 * Do not ignore SSL warnings
 * Use Encryption

Lack of Proper Encryption at Rest
Description

Threats

Impact

Recommendations

Notes:
 * Encrypt PII
 * Don't store sensitive information unencrypted
 * Includes physical info - do not write down passwords, shred sensitive documents, protect your SSN, etc.

Using Components with Known Vulnerabilities
Description

Threats

Impact

Recommendations

Notes:
 * Patch

Lack of Secure Configuration
Description

Threats

Impact

Recommendations

Notes:
 * Configure application settings for security
 * Do not configure devices to automatically connect to wifi access points

Running Unnecessary Software or Services
Description

Threats

Impact

Recommendations

Notes:
 * Do not install unneeded software
 * Remove software not in use
 * Do not enable services you don't use

Poor Physical Security
Description

Threats

Impact

Recommendations

Notes:
 * Encrypt devices and drives
 * Do not leave mobile devices unattended
 * Use an inactivity lockout
 * Password protect all devices

Lack of Proper Defense
Description

Threats

Impact

Recommendations

Notes:
 * Use Personal Firewalls
 * Properly Secure Wireless Access Points
 * Use Intrusion Detection Services
 * Use anti-virus
 * Backup important data
 * Learn to recognize threats?