Hopefully by now you’re seeing a trend. You need full visibility into your environment and you also need both the visibility and capability to remove any unauthorized assets or software. I know this may seem kind of basic, but remember, we are only at Control 2. Wait till we get to Control 17 and start discussing Incident Response. But let’s not get ahead of ourselves just yet. After all, we are working with a prescriptive, prioritized, and simplified set of best practices.
In the previous blog, I shared the many different types of software/applications that exist in your environment. The ones installed by your corporate IT, the ones installed by default by the hardware vendor or required by the VM vendor, and then those incredibly amazing apps that your users are downloading and installing. Boy, do we love those.
Today, we’re going to talk about ensuring whatever software you have, and you know about, is supported. Now, supported can mean a few things:
- Supported by the manufacturer, i.e., current version
- Supported from a version perspective, i.e., patched/updated
- Supported from a security perspective to ensure there are no known vulnerabilities
The visibility of knowing what software you have (version/build) and where it lives is only half the battle. The other half is to know whether that version is supported, patched, and secured. Fortunately, there are many commercial off the shelf (COTS) tools that can do this automatically. However, if you’re one of those people that likes to spend hours searching through websites for this info and then comparing it to a spreadsheet, you can do that as well.
Here’s the CIS definition of this Control/Safeguard
CIS Control 2 - Inventory and Control of Software Assets
Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
Implementation Group 1
CIS Safeguard 2.2 - Ensure Authorized Software is Currently Supported
Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise’s mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate it as unauthorized. Review the software list to verify software support at least monthly, or more frequently.