Back

Protect the system against replay attacks.


CONTROL ID
04552
CONTROL TYPE
Technical Security
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a malicious code protection program., CC ID: 00574

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Authentication methods susceptible to replay attacks are disabled. (Security Control: 1603; Revision: 0, Australian Government Information Security Manual, March 2021)
  • Authentication methods susceptible to replay attacks are disabled. (Control: ISM-1603; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Authentication methods susceptible to replay attacks are disabled. (Control: ISM-1603; Revision: 0, Australian Government Information Security Manual, September 2023)
  • The MFA system is not susceptible to replay attacks. (8.5.1 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine vendor system documentation to verify that the MFA system is not susceptible to replay attacks. (8.5.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • The MFA system is not susceptible to replay attacks. (8.5.1 Bullet 1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The MFA system is not susceptible to replay attacks. (8.5.1 Bullet 1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The MFA system is not susceptible to replay attacks. (8.5.1 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The MFA system is not susceptible to replay attacks. (8.5.1 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Verify replay resistance through the mandated use of One-time Passwords (OTP) devices, cryptographic authenticators, or lookup codes. (2.2.6, Application Security Verification Standard 4.0.3, 4.0.3)
  • The system should have the ability to detect replay for specified entities (messages, service requests, service responses, and user sessions) and take appropriate action (ignoring the entity, requesting confirmation of the entity, and terminating the entity). (§ 15.9, § J.9, ISO 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008)
  • The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. (IA-2(8) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. (IA-2(8) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts. (IA-2(9) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • For cloud computing application program interfaces, does the application program interface code security testing include replay attacks? (§ V.1.39.2.5, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. (IA.3.084, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. (IA.3.084, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. (IA.3.084, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. (IA.L2-3.5.4 Replay-Resistant Authentication, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. (IA-2(8) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts. (IA-2(9) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. (IA-2(8) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Implement replay-resistant authentication mechanisms for access to [FedRAMP Assignment: privileged accounts; non-privileged accounts]. (IA-2(8) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Implement replay-resistant authentication mechanisms for access to [FedRAMP Assignment: privileged accounts; non-privileged accounts]. (IA-2(8) ¶ 1, FedRAMP Security Controls Low Baseline, Version 5)
  • Implement replay-resistant authentication mechanisms for access to [FedRAMP Assignment: privileged accounts; non-privileged accounts]. (IA-2(8) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Implement replay-resistant authentication mechanisms for access to [Selection (one or more): privileged accounts; non-privileged accounts]. (IA-2(8) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Implement replay-resistant authentication mechanisms for access to [Selection (one or more): privileged accounts; non-privileged accounts]. (IA-2(8) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Implement replay-resistant authentication mechanisms for access to [Selection (one or more): privileged accounts; non-privileged accounts]. (IA-2(8) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Communication between the claimant and verifier SHALL be via an authenticated protected channel to provide confidentiality of the authenticator output and resistance to MitM attacks. All cryptographic device authenticators used at AAL3 SHALL be verifier impersonation resistant as described in Sectio… (4.3.2 ¶ 1, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • Cryptographic authenticators used at AAL2 SHALL use approved cryptography. Authenticators procured by government agencies SHALL be validated to meet the requirements of FIPS 140 Level 1. Software-based authenticators that operate within the context of an operating system MAY, where applicable, attem… (4.2.2 ¶ 1, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • Identify and authenticate [Assignment: organization-defined systems and system components] before establishing a network connection using bidirectional authentication that is cryptographically based and replay resistant. (3.5.1e, Enhanced Security Requirements for Protecting Controlled Unclassified Information, NIST SP 800-172)
  • The organization should include some type of time variant parameter in encrypted password messages to protect against replay attacks. (§ 3.2.7 ¶ 2, FIPS Pub 190, Guideline for the use of Advanced Authentication Technology Alternatives)
  • The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. (IA-2(8) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. (IA-2(8) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts. (IA-2(9) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Employ replay-resistant authentication mechanisms for network access to privileged and non- privileged accounts. (3.5.4, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Employ replay-resistant authentication mechanisms for network access to privileged and non- privileged accounts. (3.5.4, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Employ replay-resistant authentication mechanisms for network access to privileged and non- privileged accounts. (3.5.4, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. (IA-2(8), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts. (IA-2(9), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization protects nonlocal maintenance sessions by employing {organizationally documented authenticators that are replay resistant}. (MA-4(4)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. (IA-2(8), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts. (IA-2(9), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. (IA-2(8), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. (IA-2(8) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts. (IA-2(9) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. (IA-2(8) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. (IA-2(8) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts. (IA-2(9) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Employing [Assignment: organization-defined authenticators that are replay resistant]; and (MA-4(4)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Implement replay-resistant authentication mechanisms for access to [Selection (one or more): privileged accounts; non-privileged accounts]. (IA-2(8) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employing [Assignment: organization-defined authenticators that are replay resistant]; and (MA-4(4) ¶ 1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Implement replay-resistant authentication mechanisms for access to [Selection (one or more): privileged accounts; non-privileged accounts]. (IA-2(8) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Employing [Assignment: organization-defined authenticators that are replay resistant]; and (MA-4(4) ¶ 1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. (IA-2(8) ¶ 1, TX-RAMP Security Controls Baseline Level 2)