SI-03 Malicious Code Protection
a. Implement si-03_odp.01 malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;
b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;
c. Configure malicious code protection mechanisms to:
1. Perform periodic scans of the system si-03_odp.02 and real-time scans of files from external sources at si-03_odp.03 as the files are downloaded, opened, or executed in accordance with organizational policy; and
2. si-03_odp.04 ; and send alert to si-03_odp.06 in response to malicious code detection; and
d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.
|si-03_odp.06||personnel or roles|
System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.
Malicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.
In situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files.
- SP 800-83 Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1.
- SP 800-125B Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B.
- SP 800-177 Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1.
Control Enhancements 10
- SI-03(01) Central Management
- SI-03(02) Automatic Updates
- SI-03(03) Non-privileged Users
- SI-03(04) Updates Only by Privileged Users L M H P
- SI-03(05) Portable Storage Devices
- SI-03(06) Testing and Verification L M H P
- SI-03(07) Nonsignature-based Detection
- SI-03(08) Detect Unauthorized Commands L M H P
- SI-03(09) Authenticate Remote Commands
- SI-03(10) Malicious Code Analysis L M H P
Related controls 19
- SI-02 Flaw Remediation L M H P
- AC-04 Information Flow Enforcement L M H P
- AC-19 Access Control for Mobile Devices L M H P
- CM-03 Configuration Change Control L M H P
- CM-08 System Component Inventory L M H P
- IR-04 Incident Handling L M H P
- MA-03 Maintenance Tools L M H P
- MA-04 Nonlocal Maintenance L M H P
- PL-09 Central Management L M H P
- RA-05 Vulnerability Monitoring and Scanning L M H P
- SC-07 Boundary Protection L M H P
- SC-23 Session Authenticity L M H P
- SC-26 Decoys L M H P
- SC-28 Protection of Information at Rest L M H P
- SC-44 Detonation Chambers L M H P
- SI-04 System Monitoring L M H P
- SI-07 Software, Firmware, and Information Integrity L M H P
- SI-08 Spam Protection L M H P
- SI-15 Information Output Filtering L M H P