Summary

A system with critical information must require the identification of the equipment from which a user or system is authenticated.

Description

The requirement includes capturing information about the device used for access that can be used to identify it uniquely. This can include information such as device ID, hardware characteristics, IP address, or other identifying data. It helps to ensure that the authentication request is being originated from a recognized and authorized device, reducing the risk of unauthorized access to critical data.

Supported In

This requirement is verified in following services

References

• CAPEC™-114. Authentication abuse
• OWASP TOP 10-A7. Identification and authentication failures
• MITRE ATT&CK®-M1025. Privileged process integrity
• SANS 25-13. Improper authentication
• PDPO-S1_4. Security of personal data
• CMMC-MP_L2-3_8_1. Media protection
• CMMC-MP_L2-3_8_8. Shared media
• HITRUST CSF-01_k. Equipment identification in networks
• HITRUST CSF-08_b. Physical entry controls
• ISO/IEC 27002-5_37. Documented operating procedures
• OSSTMM3-8_7_4. Physical security (controls verification) - Integrity
• PTES-7_4_4_1. Post Exploitation - Pillaging (user information on system)
• SWIFT CSCF-3_1. Physical security
• SIG Core-D_1_1_2. Asset and information management
• OWASP ASVS-2_8_2. One time verifier
• ISO/IEC 27001-5_37. Documented operating procedures
• CASA-2_8_2. One Time Verifier
• CWE TOP 25-287. Improper authentication

Vulnerabilities

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.