Modern organizations depend upon a dizzying array of software: operating systems, word processing applications, HR and financial tools, backup and recovery solutions, database systems, and much, much more. These software assets are often vital for critical business operations — but they also pose important security risks. For examples, attackers often target vulnerable software to gain access to corporate networks, and can install malicious software (malware) of their own that can steal or encrypt data or disrupt business operations.
CIS Control 2 is designed to help you mitigate these risks. It advises every organization to create a comprehensive software inventory and develop a sound software management program that includes regular review of all installed software, control over what software is able to run, and more.
Here is a breakdown of the seven sub-controls in CIS Control 2: Inventory and Control of Software Assets.
2.1. Establish and maintain a software inventory
Create and maintain a detailed record of all software on the computers in your network. For each software asset, include as much information as possible: title, publisher, installation date, supported systems, business purpose, related URLs, deployment method, version, decommission date and so on. This information can be recorded in a document or a database.
Keep your software inventory up to date by reviewing and updating it at least twice a year. Some of the sub-controls below provide guidance for what software to remove and why.
One important best practice is to ensure that all operating systems and software applications in your authorized software inventory are still supported by the software vendor. Unsupported software does not get security patches and updates, which increases your organization’s risk exposure because cybercriminals often target known vulnerabilities.
If you find outdated or unsupported software in your environment, try to adopt alternative solutions swiftly. If no alternatives are available and the unsupported software is necessary for your operations, assess the risks it poses and investigate mitigating controls. Then document the exception, any implemented controls and the residual risk acceptance.
Employees sometimes install software on business systems without approval from the IT department. Removing this unauthorized software reduces risk to your business. If a piece of unauthorized software is needed, either add it to the list of authorized tools or document the exception in your software inventory.
Check for unauthorized software as often as possible, at least monthly.
2.4. Utilize automated software inventory tools
Creating and maintaining a software inventory manually can be time consuming and prone to user errors. Accordingly, it’s a best practice to automate the process of discovering and documenting installed software assets whenever feasible.
For example, Netwrix Change Tracker can automatically track all software assets installed in you organization, including application names, versions, dates and patch levels.
Even your best efforts may not ensure that unauthorized software doesn’t get installed on your systems. Therefore, it’s also important to implement controls that ensure that only authorized applications can execute.
Allowlists are more stringent than blocklists. An allowlist permits only specified software to execute, while a blocklist merely prevents specific undesirable programs from running.
You can use a blend of rules and commercial technologies to implement your allowlist. For example, many anti-malware programs and popular operating systems include features to prevent unauthorized software from running. Free tools, such as Applocker, are also available. Some tools even collect information about the installed program’s patch level to help ensure you only use the latest software versions.
A detailed allowlist can include attributes like file name, path, size or signature, which will also help during scanning for unauthorized software not explicitly listed.
In addition to maintaining a software inventory and an allowlist of authorized software, it is critical to ensure that users load files, including applications, only from authorized libraries. You should also train everyone to avoid downloading files from unknown or unverified sources onto your systems and make sure they understand the security risks of violating this policy, including how it could enable attackers to access your systems and data.
Software installation and other administrative tasks often require script interpreters. However, cybercriminals can target these script engines and cause damage to your systems and processes. Developing an allowlist of authorized scripts limits the access of unauthorized users and attackers. System admins can decide who can run these scripts.
This control requires your IT team to sign all your scripts digitally; this might be taxing, but it is necessary to secure your systems. Technical methods for implementing this control include version control and digital signatures.
Summary
Comprehensive software asset management is vital to the security of your organization’s systems and data. CIS Control 2 guides your organization through the processes of identifying, monitoring and automating your software management solutions. This control can be summarized in three practices:
- Identify and document all your software assets and remove unwanted, outdated or vulnerable
- Create an approved software allowlist to help prevent the installation and use of unauthorized software.
- Monitor and manage your software applications through consistent scanning and updates.
Creating and maintaining a software inventory manually is too time consuming and error prone to be a viable approach in any modern network. Netwrix Change Tracker automates the work of tracking all software installed on your systems and keeping you informed about any drift from your authorized software list. It can even be used to identify missing patches and version updates, helping you further strengthen IT system security.