by Marian Bodunrin
4:00 min read
The first of the CIS Controls for internet security is taking an inventory of authorized and unauthorized devices/hardware. The second CIS control is so similar it’s natural to wonder why it was granted its own control: an inventory of authorized and unauthorized software. The purpose and some of the methods are similar, but software is more fluid than hardware. Adding software is common, updates are necessary, and vulnerability reports can require reassessing existing software.
Unauthorized software, in this context, simply means software that hasn't been authorized, not necessarily forbidden software. Users may have leeway to install applications without explicit permission. However, a secure network needs to identify and assess the software which is installed on each machine, especially if it isn't pre-approved.
The potential complexity of implementing control 2, as well as control 1, pales in comparison to its importance to a responsive security program.
There are several risks in unauthorized software:
Methods of tracking software
Endpoint management is as useful in tracking software as it is in tracking hardware. A software agent in each machine will report installed software and versions. Inventories need to run frequently, since new software can be installed at any time. Automated asset discovery tools exist, allowing for more accurate data and less confusion and ambiguity.
Not all machines can have agents, for example it's usually impractical to require them on personal mobile devices and home computers. Neither are they likely to agree to list all software on their computers, or to be able to find it all even with their best efforts. Network managers can compensate for this lack by restricting access from these machines and monitoring their network activity.
A whitelist, covering software which is explicitly authorized and up to date, lets IT management focus on whatever other software is present. Some networks may allow only authorized software; others may consider it case by case even blacklisting unauthorized applications. Servers should never have software which isn't there for an explicit reason, but desktop machines and mobile devices may need more flexibility.
If endpoint management isn't suitable for a network, it needs to have policies on installing software. Setting rules (e.g., "no games" or "no installation without specific permission") and requiring users to report any applications they install is much better than nothing. Periodic audits of machines, merging the results into the inventory, will get people to take the policies seriously.
The list of authorized software and accepted versions needs to be kept up to date. If an important vulnerability report comes out and the publisher issues a patch, the previously acceptable version can become risky and unacceptable overnight.
This is where the inventory becomes your best asset, demonstrating its value in the extreme. If it comprehensively lists the installations of software that needs updating, the IT department can push the update to all the machines. For a quick response makes attackers' window of opportunity as small as possible.
If software is no longer getting support, it will eventually become necessary to remove it from the authorized list. Identifying the situation as early as possible makes it easier to find alternatives before compatibility or security problems arise.
An organization that doesn't know what software is on its computers is open to unnecessary risks. Keeping track of software, by whatever means are best suited to the network's needs, is an essential part of a security strategy.