Back

Restrict downloading to reduce malicious code attacks.


CONTROL ID
04576
CONTROL TYPE
Behavior
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a malicious code protection program., CC ID: 00574

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Software and information processing facilities are vulnerable to attacks by computer viruses and other malicious software. Procedures and responsibilities should be established to detect and prevent attacks. AIs should put in place adequate controls such as: - prohibiting the download and use of un… (3.5.3, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Does the organization minimize the risks of virus propagation by limiting or restricting software downloads/uploads? (Table Row VIII.8, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • There should be documented standards / procedures related to malware protection software, which specify steps required to reduce the risk of malware being downloaded. (CF.10.03.01d, The Standard of Good Practice for Information Security)
  • The risk of downloading malware should be reduced by restricting the sources from which mobile code can be downloaded (e.g., by providing a blacklist of forbidden websites). (CF.10.03.08a, The Standard of Good Practice for Information Security)
  • The risk of downloading malware should be reduced by limiting the downloading of specific types of mobile code. (CF.10.03.08b, The Standard of Good Practice for Information Security)
  • The risk of downloading malware should be reduced by allowing only trusted mobile code to be downloaded (i.e., signed with a trusted digital certificate). (CF.10.03.08d, The Standard of Good Practice for Information Security)
  • The risk of downloading malware should be reduced by running mobile code in a protected environment (e.g., a quarantine area, such as a Java 'sandbox' or a proxy server in a 'demilitarised zone'). (CF.10.03.08e, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures related to malware protection software, which specify steps required to reduce the risk of malware being downloaded. (CF.10.03.01d, The Standard of Good Practice for Information Security, 2013)
  • The risk of downloading malware should be reduced by restricting the sources from which mobile code can be downloaded (e.g., by providing a blacklist of forbidden websites). (CF.10.03.08a, The Standard of Good Practice for Information Security, 2013)
  • The risk of downloading malware should be reduced by limiting the downloading of specific types of mobile code. (CF.10.03.08b, The Standard of Good Practice for Information Security, 2013)
  • The risk of downloading malware should be reduced by allowing only trusted mobile code to be downloaded (i.e., signed with a trusted digital certificate). (CF.10.03.08d, The Standard of Good Practice for Information Security, 2013)
  • The risk of downloading malware should be reduced by running mobile code in a protected environment (e.g., a quarantine area, such as a Java 'sandbox' or a proxy server in a 'demilitarised zone'). (CF.10.03.08e, The Standard of Good Practice for Information Security, 2013)
  • ¶ 8.2.3(4) Protection against Malicious Code. ¶ 8.2.3 Protection against Malicious Code. An organization should implement safeguards to prevent malicious code, which may be introduced into systems through external connections and through files and software introduced from portable disks. Malicious… (¶ 8.2.3(4), ¶ 9.2 Table Row "Procedural Safeguards", ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021 Restrict Web-Based Content, MITRE ATT&CK®, Enterprise Mitigations, Version 13.1)
  • Mobile code should be downloaded only from trusted DoD sources over assured channels and should not be allowed to be downloaded from non-DoD sources. Examine the Internet browser configuration settings to verify mobile code and unauthorized programs are being prevented from being downloaded. Interv… (§ 5 (WIR0465), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2)
  • Host software and Department of Defense workstations must be configured to prevent prohibited mobile code from being downloaded and executed. (DCMC-1(5), DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Web browsers should be configured to prompt users before installing software on the client and configured to prevent unsigned ActiveX and other mobile code from being unknowingly downloaded and installed on the system. (§ 5.2.2, Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1)
  • The organization should develop a policy on downloading software, such as avoiding downloads from suspicious or unknown sites. (§ 4.1.5, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008)
  • The Information System should prevent prohibited mobile code from being downloaded and executed. (App F § SC-18(3), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The information system prevents the download and execution of {organizationally documented unacceptable mobile code}. (SC-18(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system prevents the download and execution of [Assignment: organization-defined unacceptable mobile code]. (SC-18(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Prevent the download and execution of [Assignment: organization-defined unacceptable mobile code]. (SC-18(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Prevent the download and execution of [Assignment: organization-defined unacceptable mobile code]. (SC-18(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)