Level 2

Description:

Mobile code technologies include Java, JavaScript, ActiveX, Postscript, PDF, Flash animations, and VBScript. Decisions regarding the use of mobile code in organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Usage restrictions and implementation guidance apply to the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations, notebook computers, and devices (e.g., smart phones). Mobile code policy and procedures address controlling or preventing the development, acquisition, or introduction of unacceptable mobile code in systems, including requiring mobile code to be digitally signed by a trusted source.  [SP 800-28] provides guidance on mobile code.


Priority: Medium


Domain:  SYSTEM AND COMMUNICATIONS PROTECTION (SC)


Category: Baseline Security Configurations 


Services Associated with AWS:

  • AWS WAF
  • AWS Shield
  • AWS CodeCommit
  • Amazon Inspector
  • AWS CloudTrail
  • Amazon GuardDuty

Services Associated with Azure: 

  • Azure App Service
  • Azure Web Application Firewall (WAF)
  • Azure Monitor
  • Azure Security Center
  • Azure Sentinel

Objective Evidence: 

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screen shot of configuration settings 


Possible Technology Considerations :

  • Secure Baseline Configurations (SBC)
  • Intrusion Prevention System (IPS)
  • Antimalware Solution 


What needs to be answered?

Are there defined limits of mobile code usage, established usage restrictions, that specifically authorize use of mobile code within the information system? Is the use of mobile code documented, monitored, and managed? (Java, JavaScript, ActiveX, PDF, Flash, Shockwave, Postscript, VBScript, etc.)

Checks for AWS 

  • Mobile Code Usage Restriction Check
    Description: This check ensures that there are appropriate usage restrictions in place for mobile code technologies in use within the system. The check verifies that there is a policy for controlling the use of mobile code and that these policies are adhered to, including the requirement for mobile code to be digitally signed by a trusted source.
  • Mobile Code Monitoring Check
    Description: This check ensures that all usage of mobile code within the system is properly monitored. The check verifies that monitoring tools are in place and functioning as expected to detect any unauthorized or malicious use of mobile code.

Checks for Azure 

  • Mobile Code Usage Restriction Check:
    Description: This policy ensures that mobile code technologies, such as Java, JavaScript, ActiveX, PDF, Flash, Shockwave, Postscript, VBScript, etc., are not used on systems containing Controlled Unclassified Information (CUI). It enforces usage restrictions and prevents the introduction of mobile code in systems where sensitive information is stored, processed, or transmitted.
  • Mobile Code Digitally Signed Check: 
    Description: This policy mandates that all mobile code executed within the Azure environment must be digitally signed by a trusted source. Digitally signing mobile code helps verify its authenticity and ensures that only authorized and legitimate code is allowed to run, reducing the risk of malicious code execution.
  • Mobile Code Monitoring Check:
    Description: This policy ensures that there is effective monitoring in place for all instances of mobile code execution within the Azure environment. It verifies that monitoring tools are properly configured and functioning to detect any unauthorized or malicious use of mobile code promptly. This monitoring capability enhances the organization's ability to respond quickly to potential security incidents.
  • Mobile Code Auditing and Documentation Check:
    Description: This policy requires organizations to maintain comprehensive documentation and audit logs related to the use of mobile code technologies. It ensures that the use of mobile code is well-documented, and any changes to mobile code configurations are recorded. This practice aids in compliance auditing and investigations in case of security breaches.


More Details:

Mobile code not used on systems containing CUI