The second post in this series, Breaking Down The Critical Security Controls, naturally moves to the second in the list. CSC 2, like number 1, is about inventory and keeping track of all the software in your environment. Software tells your hardware what to do, it’s only common sense that the security team knows what’s inside doing what.
CSC 2: Inventory of Authorized and Unauthorized Software
Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
This control, like CSC 1, is about gathering and maintaining a catalog of software within your environment. This is an important aspect to any security program because there cannot be effective policies and procedures applied to an unknown landscape.
The best approach to this control is to combine these efforts with CSC 1 when the inventory of devices is created. There are potentially hundreds of software tools, utilities and versions in your environment from server control, workstation tools, custom applications and all the backend components. Like the hardware this inventory will be complex.
Start small with the big installation footprints. Operating systems, Office, databases, web servers, and other software installations that are installed company wide. Don’t attempt to inventory each device, rather each installation.
Profile what the software does for the company and begin to create the authorization process for future procurements. Eventually you will be able to take these requirements to the vendors and use it in your vetting process.
To slow the spread of unauthorized or unknown installations create prohibitive controls, Group Policies in Windows and/or enforce it at your endpoint security utility to block anyone from installing any software. To ensure compliance and that your inventories are accurate as they can be leverage your change control system, use the help desk and IT management teams.
All software installs should be requested from a set pool of approved tools and installed by the proper IT resource, never by an employee directly.
How It Could Be Exploited
This control will help identify any potential malicious software from entering the environment maliciously but it will primarily help control the inadvertent damage as well. Almost of 1/3 of all breaches and damages to a company are done through non-malicious events and human error. In this case it could be as simple as someone installing a different web browser than what the company standard is. This might be fine in most cases except for the favorite plug-in they use which has a vulnerability that allowed an attacker or virus inside.
Another scenario is the piece of software the security team is unaware of that exists in the environment that has a recently published zero day warning. That software goes un-patched because the team did not know it was inside and opens the door to unwanted problems.
You only know what you know and can only protect and maintain components when you know they exist. This is the context for this CIS control. Knowledge of what’s in the environment and how it got there. Having an inventory of existing software in the environment and a detailed authorization process to approve new software from being procured and installed will greatly improve your security posture.
In partnership with the hardware inventory as detailed in CSC 1 the security teams, IT teams, procurement teams will have a far better profile of the environment. It may seem tedious work to get all this together, believe me it is, but it will significantly help downstream operations become stronger such as incident response, patch and configuration management, compliance, monitoring and reporting, and building your budgets. When you can bring cost savings and financial management into the mix, you will always get attention to the effort.
End of line.
You can link and review this blog series on Breaking Down The CSC Top 20 here.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.