Making a List and Checking it Twice

Making a List and Checking it Twice

By Steve Gold
Posted in Security
On May 02, 2023

Okay, so it’s not Christmas time but my hair is getting grayer (whiter) and I’m feeling quite jolly talking about security. And because you’ve been so good reading this blog, you deserve a gift. The gift of reusability.

Now, I’m not talking about that button down shirt you wore yesterday on your video calls hanging over your chair. I’m talking about using the same tool you use to inventory your assets to inventory your software. Most commercial tools that do one will also do the other. The key will be to what level they do it and how far they go. Look at that! A two for one deal!

Like our friend, “The Asset”, having a complete software inventory is a critical foundation for preventing attacks. This includes approved corporate software, default applications, and unapproved software.

Let’s start with approved corporate software. In most cases, you have applications that may not be updated, in version or vulnerabilities. Perhaps an older browser hitting a malicious site. Or, an older, unsupported version of your operating systems, productivity apps, virtualization software, whatever.

Then come the default applications (aka “productivity applications“) installed on your endpoints. There are typically a host of these default productivity applications that, in most cases, do not provide any value to you and create security risk. These applications may not have any type of auto update and will need to be updated manually or through yet another default productivity tool.

Lastly, I’m willing to bet there are other unsupported applications on your network. Maybe an image converter software to convert HEIC files to JPG or maybe a PDF viewer/editor or some tool to make Excel do things without scripting. These applications are everywhere. Without visibility into what’s on your network, what’s approved, and what’s supported, you’re flying blind. Attackers continuously scan for vulnerable versions of software that can be exploited.

Once compromised, backdoor programs can be installed that give attackers long term control of the system. This opens the door for lateral movement and the potential to escalate privileges and expand their footprint and capabilities.

This not only creates security risks but can have business/financial impacts as well. Paying for software licensing that you’re not using is, unfortunately, very common and can cost companies a significant amount of money.

Without a complete inventory of your software, you can’t protect what you can’t see. Yeah. I said it again because it’s true.

Here’s the CIS definition of this Control/Safeguard:

CIS Control 2 - Inventory and Control of Software Assets

Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

Implementation Group 1

CIS Safeguard 2.1 - Establish and Maintain a Software Inventory

Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the software inventory bi-annually, or more frequently.

Steve Gold

Steve Gold

Steve Gold is the Cybersecurity Practice Director at Gotham Technology Group (Gotham). He is responsible for providing the vision and thought leadership to expand Gotham’s legacy of success and build a world-class cybersecurity practice. He works closely with Gotham’s customers, industry partners, and subject matter experts to develop relevant solutions for Gotham’s clients and prospects.

Prior to joining Gotham, Steve worked with the Center for Internet Security (CIS), where he expanded the global reach, revenue, and impact of the CIS Benchmarks, CIS Controls, and CIS Hardened Images. He led the efforts to promote the CIS portfolio of low-cost and no-cost cybersecurity products and services that help private and public organizations stay secure in the connected world. He grew a team of security specialists from 12 to over 40 to assist organizations with implementing security best practices in their continual journey of cybersecurity maturity.

During his more than 20-year career, Steve led teams responsible for developing and implementing technology solutions at some of the industry’s most recognized companies such as Varonis, VMware, Dell & Wyse Technology

Steve is a frequent speaker/moderator at industry conferences and webinars, covering a wide array of information security topics. He resides and works remotely in Baltimore, MD.