Summary

The system must notify the users whenever their authentication details or other security settings are changed.

Description

Most systems allow their users to modify relevant information, such as access credentials and contact data. Users should be notified whenever any of these or other security settings are modified, as it could be a part of several types of attacks, e.g., account takeover attacks.

References

• CWE-620. Unverified password change
• NIST80053-AC-2_4. Automated audit actions
• OWASP10-A7. Identification and authentication failures
• BIZEC-APP-06. Direct database modifications
• CCPA-1798_106. Consumer's right to correct inaccurate personal information
• CCPA-1798_121. Consumer's right to limit use and disclosure of sensitive personal information
• FCRA-604-E_5. Notification system
• PDPA-6A_26B. Notifiable data breaches
• PDPA-6A_26D. Duty to notify occurrence of notifiable data breach
• CMMC-AC_L2-3_1_9. Privacy & security notices
• CMMC-AU_L2-3_3_4. Audit failure alerting
• CMMC-CM_L2-3_4_3. System change management
• HITRUST-13_n. Participation and redress
• FEDRAMP-SI-5. Security alerts, advisories, and directives
• LGPD-9_VII-2. Requirements for the Processing of Personal Data
• IEC62443-IAC-1_12. System use notification
• OWASPSCP-3. Authentication and password management
• BSAFSS-VN_3-2. Vulnerability notification and patching (updates are accompanied by advisory messages)
• ASVS-2_5_5. Credential recovery
• C2M2-8_3_e. Assign cybersecurity responsibilities
• SIGLITE-SL_65. Is there a process to ensure clients are notified prior to changes being made which may impact their service?
• SIGLITE-SL_90. Are change control procedures required for all changes to the production environment?
• SIG-G_2_10_2. Operations management
• FISMA-AC-2_4. Automated audit actions

Weaknesses

• 399. Security controls absence - Monitoring