Support Your Local Software

Support Your Local Software

By Steve Gold
Posted in Security
On May 09, 2023

Hopefully by now you’re seeing a trend. You need full visibility into your environment and you also need both the visibility and capability to remove any unauthorized assets or software. I know this may seem kind of basic, but remember, we are only at Control 2. Wait till we get to Control 17 and start discussing Incident Response. But let’s not get ahead of ourselves just yet. After all, we are working with a prescriptive, prioritized, and simplified set of best practices.

In the previous blog, I shared the many different types of software/applications that exist in your environment. The ones installed by your corporate IT, the ones installed by default by the hardware vendor or required by the VM vendor, and then those incredibly amazing apps that your users are downloading and installing. Boy, do we love those.

Today, we’re going to talk about ensuring whatever software you have, and you know about, is supported. Now, supported can mean a few things:

  • Supported by the manufacturer, i.e., current version
  • Supported from a version perspective, i.e., patched/updated
  • Supported from a security perspective to ensure there are no known vulnerabilities

The visibility of knowing what software you have (version/build) and where it lives is only half the battle. The other half is to know whether that version is supported, patched, and secured. Fortunately, there are many commercial off the shelf (COTS) tools that can do this automatically. However, if you’re one of those people that likes to spend hours searching through websites for this info and then comparing it to a spreadsheet, you can do that as well.

Here’s the CIS definition of this Control/Safeguard

CIS Control 2 - Inventory and Control of Software Assets

Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

Implementation Group 1

CIS Safeguard 2.2 - Ensure Authorized Software is Currently Supported

Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise’s mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate it as unauthorized. Review the software list to verify software support at least monthly, or more frequently.

Steve Gold

Steve Gold

Steve Gold is the Cybersecurity Practice Director at Gotham Technology Group (Gotham). He is responsible for providing the vision and thought leadership to expand Gotham’s legacy of success and build a world-class cybersecurity practice. He works closely with Gotham’s customers, industry partners, and subject matter experts to develop relevant solutions for Gotham’s clients and prospects.

Prior to joining Gotham, Steve worked with the Center for Internet Security (CIS), where he expanded the global reach, revenue, and impact of the CIS Benchmarks, CIS Controls, and CIS Hardened Images. He led the efforts to promote the CIS portfolio of low-cost and no-cost cybersecurity products and services that help private and public organizations stay secure in the connected world. He grew a team of security specialists from 12 to over 40 to assist organizations with implementing security best practices in their continual journey of cybersecurity maturity.

During his more than 20-year career, Steve led teams responsible for developing and implementing technology solutions at some of the industry’s most recognized companies such as Varonis, VMware, Dell & Wyse Technology

Steve is a frequent speaker/moderator at industry conferences and webinars, covering a wide array of information security topics. He resides and works remotely in Baltimore, MD.