CIS Control 2: Inventory and Control of Software Assets
This article delves into CIS Control 2: Inventory and Control of Software Assets and the ten sub controls associated with the second basic CIS Control.
This security control goes hand in hand with CIS Control 1: Inventory and Control of Hardware Assets. Cybercriminals are constantly prying on organizations looking for vulnerable versions of software that can be exploited. Often times these attackers will distribute malicious web pages or files via their own website or through third-party sites. Once a victim accesses this vulnerable content, attackers compromise their machines and install backdoor programs in order to gain long-term control over the system. Simply put, organizations cannot effectively secure their assets without proper knowledge or control over the software deployed in their environment. That's why the CIS Council consider CIS Control 2 to be a basic security control that organizations must include in their cybersecurity strategy. Let's breakdown the ten sub controls associated with CIS Control 2:
2.1: Maintain Inventory of Authorized Software
- Maintain an up-to-date list of all authorized software that is required in the enterprise for any business purpose on any business system.
This sub-control highlights the importance of maintaining an up-to-date inventory list of all authorized software that’s needed for an organization to run business-as-usual. Systems that have not been properly assessed for all software could likely introduce an unnecessary security threat to your organization, as many of these unmonitored machines could potentially carry undetected malware. With a foothold into the network, attackers are able to exfiltrate sensitive company data and leverage the infected system into several infected machines and networks.
2.2: Ensure Software is Supported by Vendor
- Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.
If software is no longer supported by a vendor, security patches and software updates do not occur. That’s why attackers target organizations using outdated, unsupported software through known vulnerabilities. If any software in your environment is unsupported, it must be noted in the inventory and alternative solutions should be adopted if possible. Learn more about the security risks associated with running outdated software in our Whitepaper: The Problem with Running Outdated Software.
2.3: Utilize Software Inventory Tools
- Utilize software inventory tools throughout the organization to automate the documentation of all software on business systems
2.4: Track Software Inventory Information
- The software inventory system should track the name, version, publisher, and install date for all software, including operating systems authorized by the organization.
Leveraging tools like NNT’s Change Tracker Gen7 R2 and Vulnerability Tracker will help audit software installed as well as ensuring the software is free of any known vulnerabilities.
Using a tool like Change and Vulnerability Tracker will allow your organization to track the name, version, and date for all installed software, including authorized operating systems, and much more, all depending on what information is most important to your organization. Change Tracker also captures data on each application’s patch level, ensuring that the latest version is installed.
2.5: Integrate Software and Hardware Asset Inventories
- The software inventory system should be tied into the hardware asset inventory so all devices and associated software are tracked from a single location
For ease of management, this sub-control suggests tying hardware and software asset inventories together so that they can be managed from one central location. NNT’s SecureOps suite will ensure that your environment is continuously scanned for new devices and an up-to-date inventory of what’s running on these devices is maintained, with any changes documented for you to review.
2.6: Address Unapproved Software
- Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
In this sub-control, organizations must address any unauthorized software that has been detected. It’s been estimated that one out of four employees have installed software on their business systems without pre-approval from the IT department. While the act is not generally malicious, consequences of running unauthorized software can range from criminal complaints and action to steep compensations and fines. Don’t fall victim to shadow IT and ensure that all unauthorized software is removed from the network.
2.7: Utilize Application Whitelisting
- Utilize application whitelisting technology on all assets to ensure that only authorized software executes and all unauthorized software is blocked from executing on assets.
In this sub-control, organizations are advised to use application whitelisting technology. Application whitelisting is the creation of an allowable software list, which means that only software on that list can be ran on the system. Anything that’s not on that list will be prevented from running until approved by your IT department.
2.8: Implement Application Whitelisting of Libraries
- The organization's application whitelisting software must ensure that only authorized software libraries (such as *.dll, *.ocx, *.ps1, *.so, etc.) are allowed to load into a system process.
2.9: Implement Application Whitelisting of Scripts
- The organization's application whitelisting software must ensure that only authorized digitally signed scripts (such as *.ps1, *.py, macros, etc.) are allowed to run on a system.
By only allowing authorized software libraries like "*.dll, *.ocx, *.ps1, *.so", you can significantly help prevent any malicious versions of software from running in your environment. It's also critical that organizations protect systems against any unauthorized scripts.
2.10: Physically or Logically Segregate High-Risk Applications
- Physically or logically segregated systems should be used to isolate and run software that is required for business operations but incur higher risk for the organization.
In this sub-control, organizations are advised to isolate all applications that are fundamentally riskier than others through segmentation or with a dedicated operating system and workstation. NNT recommends looking at NNT Change Tracker Gen7 R2 with its integrated ITSM option along with NNT Vulnerability Tracker to assist aligning with control 2.
CIS Control 2 can be summarized into three key steps:
1. Identify and document all software
2. Develop an approved software whitelist
3. Manage software through regular scanning and updates
NNT Change Tracker will track installed software and updates to expose any additions/changes/removals, and identify any drift from the Authorized software list. NNT Vulnerability Tracker will identity all missing or recommended patches and version updates to software products. NNT FAST Cloud provides interventionless validation of whitelisted files which may be preferred to process blocking technology.
An organization with no knowledge of what software is running on its computers is exposed to unnecessary risks. That's why it's crucial for an organization to keep track of software.
Like all CIS Controls, maintaining software inventory is an ongoing, constantly evolving responsibility that requires the right tools, processes, and policies to keep your network current and secure from attack.
- CIS Control 1: Inventory and Control of Hardware Assets
- CIS Control 2: Inventory and Control of Software Assets
- CIS Control 3: Continuous Vulnerability Management
- CIS Control 4: Controlled Use of Administrative Privileges
- CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
- CIS Control 7: Email and Web Browser Protections
- CIS Control 8: Malware Defenses
- CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services
- CIS Control 10: Data Recovery Capabilities
- CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- CIS Control 12: Boundary Defense
- CIS Control 13: Data Protection
- CIS Control 14: Controlled Access Based on the Need to Know
- CIS Control 15: Wireless Access Control
- CIS Control 16: Account Monitoring and Control
- CIS Control 17: Implement a Security Awareness and Training Program
- CIS Control 18: Application Software Security
- CIS Control 19: Incident Response and Management
- CIS Control 20: Penetration Tests and Red Team Exercises