Written with contributions from Bryon Singh, Director of Security Operations, RailWorks Corporation
Ensuring that only trusted software can run on your systems is like casting a powerful spell to ward off dark forces. CIS Safeguard 2.5, "Allowlist Authorized Software," is akin to the protective enchantments used at Hogwarts School of Witchcraft and Wizardry to keep out dark magic.
The Sorting Hat of Software
Think of the allowlist as the Sorting Hat at Hogwarts. Just as the hat sorts students into houses based on their qualities, the allowlist sorts software into trusted and untrusted categories. Only the trusted, pre-approved applications are allowed to run, much like how students are assigned to the house that best suits them.
Enchanting the Gates
Hogwarts is protected by numerous magical wards and enchantments that prevent unauthorized access. Similarly, an allowlist acts as a digital ward, blocking any unauthorized software from executing. This safeguard ensures that only the software you trust, and have vetted, can operate within your network, much like the enchantments that keep Hogwarts safe from dark wizards.
Constant Vigilance
In the magical world, vigilance is key to maintaining security. The allowlist needs regular updates to ensure new, trusted software is added and potential threats are excluded. This ongoing vigilance ensures your network remains as secure as Hogwarts, where the defenses are constantly monitored and reinforced.
To implement CIS Safeguard 2.5: Allowlist Authorized Software effectively, organizations should follow these key practices:
- Define Authorized Software: Establish a clear policy for approved applications and set up a process for requesting new software.
- Use Centralized Tools: Deploy centralized allowlisting tools like Microsoft AppLocker or an EDR solution to enforce allowlists across devices.
- Tailor by Role: Create role-based allowlists to ensure users only access the tools they need for their jobs.
- Review Regularly: Schedule reviews to update the allowlist, removing outdated software and adding new approved applications.
- Enable Logging: Log unauthorized software attempts to monitor for potential threats and identify gaps in the allowlist.
- Educate Users: Inform employees about the allowlist process to ensure smooth workflows and adherence to policy.
- Test Allowlist: Test allowlisting in a controlled environment to prevent disruptions when fully implemented.
By combining allowlisting with other security layers, organizations enhance protection against unauthorized software while maintaining operational efficiency.
Resources
Here’s a link to the Software Asset Management Policy Template for CIS Control 2 provided free of charge from the fine folks at the Center for Internet Security:
Looking for even more detail? Here you go. If this still doesn’t satisfy your curiosity, DM me.
CIS Control 2 – Inventory and Control of Software Assets
Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
CIS Safeguard 2.5 - Allowlist Authorized Software
Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.