Back

Implement safeguards to prevent unauthorized code execution.


CONTROL ID
10686
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Application control is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set. (Security Control: 0843; Revision: 8, Australian Government Information Security Manual)
  • Application control is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set. (Security Control: 1490; Revision: 2, Australian Government Information Security Manual)
  • Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros. (Security Control: 1487; Revision: 0, Australian Government Information Security Manual)
  • Microsoft Office macros in documents originating from the internet are blocked. (Security Control: 1488; Revision: 0, Australian Government Information Security Manual)
  • preventing the execution of mobile code; (6.6.1 ¶ 1(a), IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • Control execution of mobile code; (13.2.1 ¶ 1 a), IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • control execution of mobile code; (14.2.1 ¶ 1 a), IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • control execution of mobile code; (15.4.1 ¶ 1 a), IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • control the code execution based upon integrity checks on the mobile code and prior to the code being executed. (14.2.1 ¶ 1 c), IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • The host device shall provide the capability to enforce a security policy that allows the device to control execution of mobile code based on the results of an authenticity check prior to the code being executed. (14.2.3 (1) ¶ 1, IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • control the code execution based upon integrity checks on mobile code and prior to the code being executed (15.4.1 ¶ 1 c), IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • Mobile code technologies include, but are not limited to, Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations and VBScript. Usage restrictions apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual work… (13.2.2 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Control execution of mobile code; (13.2.1 ¶ 1 (a), Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Control execution of mobile code; (12.2.1 ¶ 1 (a), Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Control execution of mobile code; (14.2.1 ¶ 1 (a), Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • The host device shall provide the capability to enforce a security policy that allows the device to control execution of mobile code based on the results of an authenticity check prior to the code being executed. (14.2.3 (1) ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Control execution of mobile code; (15.4.1 ¶ 1 (a), Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Control the code execution based upon integrity checks on mobile code and prior to the code being executed (15.4.1 ¶ 1 (c), Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Control the code execution based upon integrity checks on the mobile code and prior to the code being executed. (14.2.1 ¶ 1 (c), Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. (SI-16 Control, StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. (SI-16 Control, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. (SI-16 Control, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. (SI-16 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Block execution of code on a system through application control, and/or script blocking. (M1038 Execution Prevention, MITRE ATT&CK®, Enterprise Mitigations, Version 13.1)
  • Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software. (M1044 Restrict Library Loading, MITRE ATT&CK®, Enterprise Mitigations, Version 13.1)
  • The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. (SI-16 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. (SI-16 Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. (SI-16 Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Implement the following controls to protect the system memory from unauthorized code execution: [Assignment: organization-defined controls]. (SI-16 Control, FedRAMP Security Controls High Baseline, Version 5)
  • Implement the following controls to protect the system memory from unauthorized code execution: [Assignment: organization-defined controls]. (SI-16 Control, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Implement the following controls to protect the system memory from unauthorized code execution: [Assignment: organization-defined controls]. (SI-16 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Implement the following controls to protect the system memory from unauthorized code execution: [Assignment: organization-defined controls]. (SI-16 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. (SI-16 Control: Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. (SI-16 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system implements {organizationally documented security safeguards} to protect its memory from unauthorized code execution. (SI-16 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system implements {organizationally documented security safeguards} to protect its memory from unauthorized code execution. (SI-16 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system implements {organizationally documented security safeguards} to protect its memory from unauthorized code execution. (SI-16 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. (SI-16 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. (SI-16 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. (SI-16 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Implement the following controls to protect the system memory from unauthorized code execution: [Assignment: organization-defined controls]. (SI-16 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. (SI-16 Control, TX-RAMP Security Controls Baseline Level 1)
  • The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. (SI-16 Control, TX-RAMP Security Controls Baseline Level 2)