Okay, IT endpoint management pros … do you know what applications are running on which systems? You might think you know, but do you really!? Does your software asset tracking pass muster when measured against the CIS Controls?
This is part two in my five-part series on CIS Controls. Part one covered hardware assets inventory. On this blog, we talk about software asset inventory.
CIS Control 2: Inventory and Control of Software Assets
(Note: The CIS official verbiage is italicized just under the heading for each control or sub-control.)
Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that all unauthorized and unmanaged software is found and prevented from installation or execution.
You need to know what apps are installed in your organization for a lot of reasons. A few stand out though.
First, you need to make sure internal policy around application security is enforced. Second, every application is a potential security vulnerability which may need configuration changes or patching. If you don’t know somebody’s running it, you can’t make sure it’s secure. Third, software licensing needs to be kept in line with usage, and vice versa.
If you read part one, you know that the controls and sub-controls are listed in order of priority. In the list below, it’s assumed that you would do 2.1 first, then get to 2.2, and so on. If you don’t get them all, you’ll at least have done the most important ones.
CIS Control 2.1 (Identify): Maintain Inventory of Authorized Software
Maintain an up-to-date list of all authorized software that is required in the enterprise for any business purpose on any business system.
This sub-control essentially says you should know what software is on all machines. It doesn’t say “at all times,” but that’s implied. A common practice in the past has been to inventory every system at least every 30 days. Given that unauthorized, misconfigured, or out of date software can be a security vulnerability, more frequent inventory may be merited. Some companies may do this daily or hourly.
Whatever interval is selected, you should monitor for non-reporting systems. For example, if your policy is to scan systems every three days, have a monitoring capability in place to identify systems for which software inventory data has not been reported in the last three days.
CIS Sub-Control 2.2 (Identify): Ensure Software Is Supported by Vendor
Ensure that only software applications or operating systems currently supported and receiving vendor updates are added to the organization’s authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.
This is really simple: software not support by vendors is not secure, so don’t use it. If unsupported software is allowed, tag it as unsupported in the inventory system.
The reasoning is that if software is not supported, and a vulnerability is discovered, then you cannot apply a vendor fix because there is no vendor support. There are of course exceptions such as open source software that does get updated, but for which there is no “vendor” as such.
CIS Sub-Control 2.3 (Identify): Utilize Software Inventory Tools
Utilize software inventory tools throughout the organization to automate the documentation of all software on business systems.
This sub-control is so self-explanatory that there’s not a lot to add. The world is full of tools for doing this. Use one.
Some advanced features you might look for include:
- Binary hash matching (instead of just filename, size, etc.)
- Delta reporting to easily see what’s changed since the last inventory
- Minimal system impact so you don’t kill productivity while taking an inventory
CIS Sub-Control 2.4 (Identify): Track Software Inventory Information
The software inventory system should track the name, version, publisher, and install date for all software, including operating systems authorized by the organization.
Detailed data regarding each installed application must be captured from all managed endpoints and centrally stored in a database system. You should back this data up frequently.
In addition to the core requirements of this sub-control, consider other elements of the applications that you may need to collect from your endpoints as well. These may include file hashes, language, size, compatibility settings, etc. Your software inventory tool should support the collection of this extended data either natively or through custom inventory options.
CIS Sub-Control 2.5 (Identify): Integrate Software and Hardware Asset Inventories
The software inventory system should be tied into the hardware asset inventory, so all devices and associated software are tracked from a single location.
This is really straightforward. Implement an asset management solution that combines both hardware and software lists, and ties them together. This way, you can track everything from a single location and have a complete, accurate picture.
CIS Sub-Control 2.6 (Respond): Address Unapproved Software
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
This is the only sub-control in the respond section, meaning you take action here based on events. If you find software that is unauthorized, remove it or update the inventory to show that you’re running unauthorized software. Alternatively, you could decide it is secure in this one particular instance and to authorize it. That should only be done with extreme caution.
CIS Sub-Control 2.7 (Protect): Utilize Application Whitelisting
Utilize application whitelisting technology on all assets to ensure that only authorized software executes and all unauthorized software is blocked from executing on assets.
If you’re not familiar with whitelisting, you need to be. It’s critical for endpoint management. When an application tries to run, the OS will look at the whiltelist. If the software is on the whitelist, then it can run. If not, it can’t.
Although this control 2.7 is far down the list of this list of sub-controls, whitelisting in general is a critical technology for the future endpoint security. It’s hard to keep up with the pace of new applications, and flat-out impossible to track all malware that hides as (or in) applications. While creating and maintaining whitelist might take time, the effort is worthwhile.
CIS Sub-Control 2.8 (Protect): Implement Application Whitelisting of Libraries
The organization’s application whitelisting software must ensure that only authorized software libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
This sub-control is merely explaining that whitelisting applications is not enough. You also need to whitelist the libraries they call.
CIS Sub-Control 2.9 (Protect): Implement Application Whitelisting of Scripts
The organization’s application whitelisting software must ensure that only authorized, digitally signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
For this control, you need to whitelist scripts. It’s not a minor feat, because it means that all your scripts must be digitally signed. Then you also have to disallow execution of unsigned scripts. However, if you want secure endpoints, it’s important. It’s no secret that cyberattackers love gaining access to script engines such as PowerShell.
CIS Sub-Control 2.10 (Protect): Physically or Logically Segregate High-Risk Applications
Physically or logically segregated systems should be used to isolate and run software that is required for business operations but incurs higher risk for the organization.
Once an intruder breaches your company’s network, they’re often going to try to move across it from endpoint to endpoint (aka lateral movement). By segregating critical systems from the rest of the network, you add a level of protection.
If you are an endpoint management IT pro, you need to understand the CIS Controls. Even if you do not implement them in your environment, an awareness may help you make smarter security decisions. If you’d like to learn more about the CIS Controls, you can download a new report from Adapitva, Top 5 CIS Controls and Cybersecurity Best Practices Report.