GDPR compliant configurations

Information about features of IBM® Cloud Manager with OpenStack that must be configured so that they are compliant with GDPR .

Weak Password Policy and Inadequate Account Lockout Mechanism

The application does not mandate that the users must have strong passwords, which makes it easy for attackers to compromise user accounts. Passwords are prone to Brute force attacks, that is, an attacker can easily brute force the passwords as the password policy is weak and it allows simple alpha numeric characters as passwords.

Account lockout mechanisms are used to mitigate brute force password guessing attacks. Ideally, accounts must be locked out after 3 to 5 unsuccessful login attempts and can only be unlocked after a predetermined period of time by either a self-service unlock mechanism or by an administrator intervention. Account lockout mechanisms require a balance between protecting accounts from unauthorized access and protecting users from being denied authorized access.

It is observed that application does not lock out the user account even after 10 failed log in attempts. Hence, the user can login to the application even after many unsuccessful login attempts.

Solution - To prevent this attack, the recommendation is to use strong passwords. For Account lock out mechanism, ensure that you use the LDAP in production systems.
  • Users created from OpenStack: To prevent this attack, the recommendation is to use strong passwords that are compliant with IBM Cloud Manager with OpenStack allowed password policies. Consider the following strong password rules to follow:
    • A strong password must be at least 8 characters long.
    • It must not contain any of your personal information—specifically your real name, user name, or even your company name.
    • It must be very unique from your previously used passwords.
    • It must not contain any word spelled completely.
    • It must contain characters from the four primary categories, including: uppercase letters, lowercase letters, numbers, and characters.
  • IBM Cloud Manager with OpenStack is integrated with any configurable policy based system, for example, LDAP, AD: LDAP users can perform operations depending on their role. There are no changes required for these users as these users must be complaint with organization policies.

Malicious File Upload

Uploaded files represent a significant risk to applications. The first step in many of the attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. File upload helps the attacker accomplish the first step. The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, and simple defacement. It depends on what the application does with the uploaded file and where it is stored.

Cacheable SSL Page Found

Unless directed otherwise, browsers may store a local cached copy of content received from web servers. Some browsers, including Internet Explorer, cache content accessed through HTTPS.

Solution: Configure the Web server to prevent caching of relevant paths within the web root.

Apache Multiviews Attack

Apache has a feature called Multiviews, which is oftentimes turned on by default on certain directories or turned on through configuration. Multiviews is a feature in Apache to get available file extensions for files when the extension is unknown. This can be used to enumerate server files by an attacker.

Solution: Disable Apache Multiviews if not required.