SI 3 MALICIOUS CODE PROTECTION - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

SI-3 MALICIOUS CODE PROTECTION

Control:

  • a. Implement [ Selection (one or more): signature based; non-signature based ] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;
  • b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;
  • c. Configure malicious code protection mechanisms to:
    • 1 . Perform periodic scans of the system [ Assignment: organization-defined frequency ] and real-time scans of files from external sources at [ Selection (one or more); endpoint; network entry and exit points ] as the files are downloaded, opened, or executed in accordance with organizational policy; and
    • 2 . [ Selection (one or more): block malicious code; quarantine malicious code; take [ Assignment: organization-defined action ] ]; and send alert to [ Assignment: organization- defined personnel or roles] in response to malicious code detection; and
  • d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.

Discussion: System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.

Malicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.

In situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files.

Related Controls: AC-4 , AC-19 , CM-3 , CM-8 , IR-4 , MA-3 , MA-4 , PL-9 , RA-5 , SC-7 , SC-23 , SC-26 , SC-28 , SC-44 , SI-2 , SI-4 , SI-7 , SI-8 , SI-15.

Control Enhancements:

  • (1) MALICIOUS CODE PROTECTION / CENTRAL MANAGEMENT
    [Withdrawn: Incorporated into PL-9 .]

  • (2) MALICIOUS CODE PROTECTION / AUTOMATIC UPDATES
    [Withdrawn: Incorporated into SI-3 .]

  • (3) MALICIOUS CODE PROTECTION / NON-PRIVILEGED USERS
    [Withdrawn: Incorporated into AC-6(10).]

  • (4) MALICIOUS CODE PROTECTION / UPDATES ONLY BY PRIVILEGED USERS
    Update malicious code protection mechanisms only when directed by a privileged user.

    Discussion: Protection mechanisms for malicious code are typically categorized as security- related software and, as such, are only updated by organizational personnel with appropriate access privileges.

    Related Controls: CM-5.

  • (5) MALICIOUS CODE PROTECTION / PORTABLE STORAGE DEVICES
    [Withdrawn: Incorporated into MP-7 .]

  • (6) MALICIOUS CODE PROTECTION / TESTING AND VERIFICATION

    • (a) Test malicious code protection mechanisms [ Assignment: organization-defined frequency ] by introducing known benign code into the system; and
    • (b) Verify that the detection of the code and the associated incident reporting occur.

    Discussion: None.

    Related Controls: CA-2 , CA-7 , RA-5.

  • (7) MALICIOUS CODE PROTECTION / NONSIGNATURE-BASED DETECTION
    [Withdrawn: Incorporated into SI-3 .]

  • (8) MALICIOUS CODE PROTECTION / DETECT UNAUTHORIZED COMMANDS

    • (a) Detect the following unauthorized operating system commands through the kernel application programming interface on [ Assignment: organization-defined system hardware components ]: [ Assignment: organization-defined unauthorized operating system commands ]; and
    • (b) [ Selection (one or more): issue a warning; audit the command execution; prevent the execution of the command ].

    Discussion: Detecting unauthorized commands can be applied to critical interfaces other than kernel-based interfaces, including interfaces with virtual machines and privileged applications. Unauthorized operating system commands include commands for kernel functions from system processes that are not trusted to initiate such commands as well as commands for kernel functions that are suspicious even though commands of that type are reasonable for processes to initiate. Organizations can define the malicious commands to be detected by a combination of command types, command classes, or specific instances of commands. Organizations can also define hardware components by component type, component, component location in the network, or a combination thereof. Organizations may select different actions for different types, classes, or instances of malicious commands.

    Related Controls: AU-2 , AU-6 , AU-12.

  • (9) MALICIOUS CODE PROTECTION / AUTHENTICATE REMOTE COMMANDS
    [Withdrawn: Moved to AC-17(10).]

  • (10) MALICIOUS CODE PROTECTION / MALICIOUS CODE ANALYSIS

    • (a) Employ the following tools and techniques to analyze the characteristics and behavior of malicious code: [ Assignment: organization-defined tools and techniques ]; and
    • (b) Incorporate the results from malicious code analysis into organizational incident response and flaw remediation processes.

    Discussion: The use of malicious code analysis tools provides organizations with a more in- depth understanding of adversary tradecraft (i.e., tactics, techniques, and procedures) and the functionality and purpose of specific instances of malicious code. Understanding the characteristics of malicious code facilitates effective organizational responses to current and future threats. Organizations can conduct malicious code analyses by employing reverse engineering techniques or by monitoring the behavior of executing code.

    Related Controls: None.

References: [SP 800-83], [SP 800-125B], [SP 800-177].

⚠️ **GitHub.com Fallback** ⚠️