Level 1
Description:
Designated locations include system entry and exit points which may include firewalls, remote-access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. Malicious code protection mechanisms include anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. [SP 800-83] provides guidance on malware incident prevention.
Priority: High
Domain: SYSTEM AND INFORMATION INTEGRITY (SI)
Category: Vulnerability Management
Services Associated with AWS:
- AWS WAF
- AWS Firewall Manager
- Amazon GuardDuty
- AWS Config
- AWS Systems Manager
- Amazon Inspector
Services Associated with Azure:
- Azure Defender for Servers
- Azure Antimalware
- Azure Advanced Threat Protection (Azure ATP)
- Azure Sentinel
- Azure Security Center
- Azure Firewall
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
- Administrative: supporting documentation of how anti-malware solutions are deployed and maintained
- Technical: screen shot of anti-malware configuration settings
Possible Technology Considerations :
- Secure Baseline Configurations (SBC)
- Network / Host Firewall
- Network / Host Intrusion Prevention System (NIPS / HIPS)
- Antimalware Solution
What needs to be answered?
Does the company employ malicious code protection mechanisms at system entry and exit points to minimize the presence of malicious code? System entry and exit points may include firewalls, electronic mail servers, web servers, proxy servers, remote- access servers, workstations, notebook computers, and mobile devices. Does the system automatically update malicious code protection mechanisms?
Checks for AWS:
- Malicious Code Protection at Entry and Exit Points Check
Description: This check ensures that designated locations within organizational systems, such as firewalls, remote-access servers, workstations, email servers, web servers, and mobile devices, are protected from malicious code. It verifies that anti-virus signature definitions and reputation-based technologies are in place to detect and prevent the execution of malicious code at these entry and exit points. - Comprehensive Malicious Code Protection Check
Description: This check verifies that comprehensive protection mechanisms are implemented to defend against malicious code across the entire system. It ensures that pervasive configuration management and software integrity controls are in place to prevent the execution of unauthorized code. It also verifies that secure coding practices, trusted procurement processes, and monitoring practices are employed to mitigate the risks associated with custom-built software.
Checks for Azure:
- Malicious Code Protection at Entry and Exit Points Check:
Description: This check ensures that designated locations within organizational systems, such as firewalls, email servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices, are protected from malicious code. It verifies that appropriate measures, such as Azure Defender for Servers, Azure Antimalware, Azure Advanced Threat Protection (Azure ATP), Azure Sentinel, Azure Security Center, and Azure Firewall, are in place to detect and prevent the execution of malicious code at these entry and exit points. - Comprehensive Malicious Code Protection Check:
Description: This check verifies that comprehensive protection mechanisms are implemented to defend against malicious code across the entire system. It ensures that pervasive configuration management and software integrity controls are in place to prevent the execution of unauthorized code. It also verifies that secure coding practices, trusted procurement processes, and monitoring practices are employed to mitigate the risks associated with custom-built software. Azure services such as Azure Defender for Servers, Azure Antimalware, Azure Advanced Threat Protection (Azure ATP), Azure Sentinel, Azure Security Center, and Azure Firewall can be utilized to achieve comprehensive malicious code protection.
More Details:
Malicious code protection in place for all CUI containing systems.