Okay, so it’s not Christmas time but my hair is getting grayer (whiter) and I’m feeling quite jolly talking about security. And because you’ve been so good reading this blog, you deserve a gift. The gift of reusability.
Now, I’m not talking about that button down shirt you wore yesterday on your video calls hanging over your chair. I’m talking about using the same tool you use to inventory your assets to inventory your software. Most commercial tools that do one will also do the other. The key will be to what level they do it and how far they go. Look at that! A two for one deal!
Like our friend, “The Asset”, having a complete software inventory is a critical foundation for preventing attacks. This includes approved corporate software, default applications, and unapproved software.
Let’s start with approved corporate software. In most cases, you have applications that may not be updated, in version or vulnerabilities. Perhaps an older browser hitting a malicious site. Or, an older, unsupported version of your operating systems, productivity apps, virtualization software, whatever.
Then come the default applications (aka “productivity applications“) installed on your endpoints. There are typically a host of these default productivity applications that, in most cases, do not provide any value to you and create security risk. These applications may not have any type of auto update and will need to be updated manually or through yet another default productivity tool.
Lastly, I’m willing to bet there are other unsupported applications on your network. Maybe an image converter software to convert HEIC files to JPG or maybe a PDF viewer/editor or some tool to make Excel do things without scripting. These applications are everywhere. Without visibility into what’s on your network, what’s approved, and what’s supported, you’re flying blind. Attackers continuously scan for vulnerable versions of software that can be exploited.
Once compromised, backdoor programs can be installed that give attackers long term control of the system. This opens the door for lateral movement and the potential to escalate privileges and expand their footprint and capabilities.
This not only creates security risks but can have business/financial impacts as well. Paying for software licensing that you’re not using is, unfortunately, very common and can cost companies a significant amount of money.
Without a complete inventory of your software, you can’t protect what you can’t see. Yeah. I said it again because it’s true.
Here’s the CIS definition of this Control/Safeguard:
CIS Control 2 - Inventory and Control of Software Assets
Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
Implementation Group 1
CIS Safeguard 2.1 - Establish and Maintain a Software Inventory
Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the software inventory bi-annually, or more frequently.