Maintaining an accurate inventory of software is more than just eliminating potential employee distractions – it can also prevent potential legal and security risks
In this article, I’ll discuss the second CIS Control: Inventory of Authorized and Unauthorized Software, which is perhaps my favorite control.
I certainly won’t shock anyone by saying how great software is and how it has become the core foundation of most businesses. I will, however, note that unaccounted-for software can cause major headaches. As part of CIS security assessments, our CERT team will check to see what applications are installed on each system through the use of one of our scripts (https://github.com/CIS-CERT/CIS-ESP). It is amazing what they’ll find on some of these machines. Which begs us to ask, do you know if any of your employees installed Minecraft, or have an old instance of Java? Not only are unaccounted applications a potential distraction for your employees, they also represent a legal risk if the software isn’t properly licensed or if it allows for mischievous behavior, like peer-to-peer file sharing. Let’s go into a bit more detail on how you can protect your organization from these risks.
What is an inventory?
At a high level, an inventory seems like a simple concept; just a list that says “this is what is allowed.” However, there’s much more to it than that. We see an inventory as part of much larger process that involves a few core components, which we’ve organized into four sub-controls. Like most of the CIS Controls, these recommendations are based on leveraging automated processes as much as possible to arm busy cybersecurity professionals with some time-saving techniques and provide a level of consistency.
The heart of this CIS Control is going be found in software inventory tools that not only provide a current list of software on your systems, but also allow you to determine which of those applications are approved for official use within your organization. In an ideal world, you’ll run an inventory tool, either remotely or through an agent, and it’ll compare the results of the scans to your current approved software inventory, flagging any discrepancies. From there, you have the choice of either removing the identified unapproved software, or setting it aside for review. As part of this inventory, you’ll want to make sure to collect sufficiently detailed information from your software to ensure that you know which versions are supported and which software may need updating.
I have to keep this updated?
Once you inventory your current software, you’ll want to also consider how you’ll update your approved software list (from a process standpoint). Employees have jobs they need to do and sometimes that requires having access to specific software. If you don’t provide a means to allow users to get access to tools they need, they may try to circumvent your controls and you’re no better off. This is where providing a reasonable process for approving software is going to go a long way, in terms of getting buy-in from your employees. If people are really going to need the software, they’ll go through the process (as long as it’s not too painful).
The Dreaded Whitelist
In addition to having a list of approved software and a scanner than can inventory the software on systems, you’ll also want to consider some of the preventive recommendations found in Control 2, such as application whitelisting and virtual machines. The concept of utilizing virtual machines is simple; if there’s a high risk application you absolutely must run, isolate it as much as you can from the environment. It’s not a perfect solution, but it at least provides that additional layer of security.
The NSA Information Assurance Directorate, the U.S. Department of Homeland Security, and the Australian Signals Directorate have all made recommendations that application whitelisting is one of the best means of protecting an organization against cyber-attacks. However, within an environment, it is not necessarily the easiest thing to implement and requires planning and expertise to get right. The effectiveness of the strategy alone should warrant at least a genuine discussion on whitelisting within your organization. To help you along, we’ve provided some great resources regarding application whitelisting:
Information Assurance Directorate (IAD)
Industrial Controls Systems Cyber Emergency Response Team (ICS CERT)
https://ics-cert.us-cert.gov/sites/default/files/documents/Guidelines for Application Whitelisting in Industrial Control Systems_S508C.pdf
Australia Signals Directorate
National Institute of Standards and Technology (NIST)