4:00 min read |
The first of the CIS Controls for internet security is taking an inventory of authorized and unauthorized devices/hardware. The second CIS control is so similar it’s natural to wonder why it was granted its own control: an inventory of authorized and unauthorized software. The purpose and some of the methods are similar, but software is more fluid than hardware. Adding software is common, updates are necessary, and vulnerability reports can require reassessing existing software.

Unauthorized software, in this context, simply means software that hasn’t been authorized, not necessarily forbidden software. Users may have leeway to install applications without explicit permission. However, a secure network needs to identify and assess the software which is installed on each machine, especially if it isn’t pre-approved.

The potential complexity of implementing control 2, as well as control 1, pales in comparison to its importance to a responsive security program.

The risks

There are several risks in unauthorized software:

  • Weak security design. The code may share more information than the security policy allows or open ports that create potential weaknesses. These applications may not have known vulnerabilities, but they make the network more porous.
  • Known or chronic vulnerabilities. Some software has chronic security issues. They may get fixed, but new problems keep appearing. Many networks forbid the use of Adobe Flash, for example, for that reason.
  • Lack of support. If updates aren’t available, or if they require manual intervention which they aren’t getting, old versions may have known security flaws. Attackers probe networks or send phishing emails to exploit them.
  • Pirated software. Unlicensed software has to be removed for legal reasons. It doesn’t have access to support, so it’s also a security risk.
  • Applications with covert purposes. People install applications which seem to serve a legitimate purpose but also act as malware installers or spyware. Some of them get into well-known application stores.
  • Malware. Software which was installed surreptitiously and maliciously tries to hide itself, so locating it is difficult. Finding and removing it generally falls under network security rather than asset management.
  • Theft of resources. Surreptitious software that doesn’t do outright damage but steals resources has become an important issue. Most often it’s for processing-intensive tasks like Bitcoin mining. Like malware, it falls under the security category.

Tracking versions is important. Software which is authorized but not up to date can pose serious risks.

Methods of tracking software

Endpoint management is as useful in tracking software as it is in tracking hardware. A software agent in each machine will report installed software and versions. Inventories need to run frequently, since new software can be installed at any time. Automated asset discovery tools exist, allowing for more accurate data and less confusion and ambiguity.

Not all machines can have agents, for example it’s usually impractical to require them on personal mobile devices and home computers. Neither are they likely to agree to list all software on their computers, or to be able to find it all even with their best efforts. Network managers can compensate for this lack by restricting access from these machines and monitoring their network activity.

whitelist, covering software which is explicitly authorized and up to date, lets IT management focus on whatever other software is present. Some networks may allow only authorized software; others may consider it case by case even blacklisting unauthorized applications. Servers should never have software which isn’t there for an explicit reason, but desktop machines and mobile devices may need more flexibility.

If endpoint management isn’t suitable for a network, it needs to have policies on installing software. Setting rules (e.g., “no games” or “no installation without specific permission”) and requiring users to report any applications they install is much better than nothing. Periodic audits of machines, merging the results into the inventory, will get people to take the policies seriously.

Maintaining security

The list of authorized software and accepted versions needs to be kept up to date. If an important vulnerability report comes out and the publisher issues a patch, the previously acceptable version can become risky and unacceptable overnight.

This is where the inventory becomes your best asset, demonstrating its value in the extreme. If it comprehensively lists the installations of software that needs updating, the IT department can push the update to all the machines. For a quick response makes attackers’ window of opportunity as small as possible.

If software is no longer getting support, it will eventually become necessary to remove it from the authorized list. Identifying the situation as early as possible makes it easier to find alternatives before compatibility or security problems arise.

An organization that doesn’t know what software is on its computers is open to unnecessary risks. Keeping track of software, by whatever means are best suited to the network’s needs, is an essential part of a security strategy.