iCompaas Support

Level 2

Description:

Authentication processes resist replay attacks if it is impractical to successfully authenticate by recording or replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time-synchronous or challenge-response one-time authenticators.  [SP 800-63-3] provides guidance on digital identities.  

Priority: High 

Domain: IDENTIFICATION AND AUTHENTICATION (IA) 

Services Associated with AWS: 

• AWS Identity and Access Management (IAM), AWS Multi-Factor Authentication (MFA), AWS Directory Service, AWS Single Sign-On

Services Associated with Azure:

• Azure Active Directory
• Azure Multi-Factor Authentication
• Azure Conditional Access
• Azure Key Vault
• Azure AD Privileged Identity Management
• Azure AD Identity Protection
• Azure Security Center
• Azure Information Protection
• Azure Advanced Threat Protection
• Azure Sentinel
• Azure Firewall
• Azure VPN Gateway
• Azure Bastion
• Azure Application Gateway
• Azure Traffic Manager

Objective Evidence: 

• Administrative: documented policies, standards & procedures
• Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
• Technical: screenshot of configuration settings  

Possible Technology Considerations:

• Identity & Access Management (IAM)
• Secure Baseline Configurations (SBC) 

What needs to be answered:

Are only anti-replay authentication mechanisms used? Are defined replay-resistant authentication mechanisms used for network access to privileged and non-privileged accounts?  

Checks for AWS

• Implement Replay-Resistant Authentication Mechanisms for Network Access
  Description: This check ensures that organizations employ replay-resistant authentication mechanisms for network access to both privileged and non-privileged accounts. Replay attacks involve the interception and replay of previous authentication messages to gain unauthorized access. To mitigate this risk, authentication processes should use techniques that make it impractical to successfully authenticate by recording and replaying previous authentication messages. Replay-resistant mechanisms include the use of nonces (random numbers) or challenges, such as time synchronous or challenge-response one-time authenticators. These mechanisms ensure that each authentication attempt is unique and cannot be replicated or reused. By implementing replay-resistant authentication mechanisms, organizations enhance the security of network access and reduce the risk of unauthorized account access. 

Checks for Azure

• Enforce Replay-Resistant Authentication Mechanisms for Network Access
  Description: This check ensures that organizations enforce replay-resistant authentication mechanisms for network access in Azure. Replay attacks involve intercepting and replaying previous authentication messages to gain unauthorized access. To mitigate this risk, authentication processes should use techniques such as nonces (random numbers) or challenges, including time-synchronous or challenge-response one-time authenticators. These mechanisms make it impractical to successfully authenticate by recording and replaying previous authentication messages, enhancing the security of network access.
• Implement Azure Multi-Factor Authentication (MFA) for Network Access
  Description: This check verifies that Azure Multi-Factor Authentication (MFA) is implemented for network access. Azure MFA provides an additional layer of security by requiring users to provide multiple factors of authentication, such as something they know (password) and something they have (token or mobile app approval), reducing the risk of unauthorized access.

More Details:  Multi factor authentication in place uses replay resistant mechanisms.