Threat CC.AuC.CCC-nS.3.2

URI: CC.AuC.CCC-nS.3.2

Description: Password from client Client captured by imposter of service Service: if an attacker can successfully spoof service Service to client Client, they can capture the password (or other reusable secret) used by Client to access the real service, allowing them to also impersonate the client.

Threat Type: Primary Threat

Matching Pattern:

MP-CCC-nS

Finds a Client that is not sharing or forwarding credentials, with access to a Service that does not use a separate authenticator, the ClientChannel between them, the Client and Service hosts and optionally the Client user and Service manager.

(empty)

CSG-ClientPasswordAccess

CSG-ClientUserPasswordAccess-Optional

ClientImpersonation at Role_ClientChannel

CSG-ClientOneTimeKeyAuthentication	Access to service *Service* is controlled, by authenticating authorised users using a one time key created using a client-side authentication device provided to them.
CSG-ClientOutOfBandKeyAuthentication	Access to service *Service* is controlled, by authenticating authorised users using a password and a separate key sent to them via a separate (out of band) means.

Threat CC.AuC.CCC-nS.3.2

MP-CCC-nS

Triggered by Threat (0)

Triggers Secondary Threats (0)

Triggered By Control Strategy (2)

Misbehaviour Sets (1)

Control Strategies (2)