Deny access with inactive credentials
Summary​
The system must not allow users to authenticate with expired, revoked or blocked credentials.
Description​
. Inactive credentials pose a security risk to organizations. Each one of these accounts offers a malicious actor an opportunity to gain access to resources.
Supported In​
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🔴 |
| Squad | 🟢 |
References​
- HIPAA-164_310_a_2_iii. Access control and validation procedures (addressable)
- NERC CIP-004-6_R5. Access revocation
- OWASP TOP 10-A7. Identification and authentication failures
- SOC2®-CC6_2. Logical and physical access controls
- MITRE ATT&CK®-M1043. Credential access protection
- CMMC-AC_L2-3_1_10. Session lock
- CMMC-IA_L2-3_5_6. Identifier handling
- FedRAMP-AC-11. Session lock
- FedRAMP-PE-3. Physical access control
- ISO/IEC 27002-7_2. Physical entry controls
- LGPD-46. Security and Secrecy of Data
- ISA/IEC 62443-UC-2_1. Authorization enforcement
- WASSEC-2_1. Authentication schemes
- WASC-W_02. Insufficient authorization
- NIST SSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
- OWASP Top 10 Privacy Risks-P8. Missing or insufficient session expiration
- BSAFSS-IA_1-2. Software development environment authenticates users and operators
- BSAFSS-AA_1-3. Authorization and access controls
- NIST 800-171-5_6. Disable identifiers after a defined period of inactivity
- CWE TOP 25-287. Improper authentication
- SIG Lite-SL_45. Termination or change of status process?
- ISO/IEC 27001-7_2. Physical entry controls
Vulnerabilities​
free trial
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.