If you’ve ever challenged a rule your parents set, you’ve probably heard the phrase, “As long as you live in my house, you’ll live by my rules”. Sometimes, if you’re lucky, it’s followed up with, “You can do whatever you want when you have your own home”. So, what do these painful childhood memories have to do with security? I’m so glad you asked!
Your parents established certain rules/processes to ensure that the home, and everyone in it, is protected. Keeping the front door/windows locked. Keeping the HVAC at 72, etc. These rules help protect you both from a security and financial perspective. It also prevents you from turning your home into a sauna/freezer, but I digress. Realistically, however, the doors/windows will NOT always be locked and someone WILL mess with the thermostat. That’s just how life is.
The same goes for your organization. There need to be rules/processes on what software is allowed on corporate assets. This helps to protect the organization from both a security and financial perspective against an attack. Attackers continuously scan for vulnerable versions of software that can be remotely exploited. For example, if a user opens a malicious website or attachment with a vulnerable browser, an attacker can often install backdoor programs and bots that give the attacker long-term control of the system. Attackers can also use this access to move laterally through the network.
One of the key defenses against these attacks is updating and patching software. However, without a complete inventory of software assets, an organization cannot determine if they have vulnerable software, or if there are potential licensing violations. It is critical to inventory, understand, assess, and manage all software connected to an enterprise’s infrastructure.
If you identify unauthorized software, I recommend the following:
- Determine if there is a business need for it
- If so, ensure it can be supported and maintained
- If not, remove it
- Contact the user/owner and remind them of the policy of unauthorized software
Here’s the CIS definition of this Control/Safeguard. If you want more detail, DM me.
CIS Control 2 - Inventory and Control of Software Assets
Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
Implementation Group 1
CIS Safeguard 2.3 - Address Unauthorized Software
Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.