Today, I will be going over Control 2 from version 8.1 of the top 18 CIS Controls – Inventory and Control of Software Assets. I will go over the seven safeguards and offer my thoughts on what I’ve found.
Key Takeaways for Control 2
- Reusability. The tools that were mentioned in Control 1 will be used in Control 2 as well. Reusing tools that accomplish goals for both Controls 1 and 2 can help cut costs and will help you gain familiarity and knowledge of the extent of the tools capabilities.
- Establish a secure baseline. Establishing a baseline of installed software enables an organization to respond to active threats, avoid license violations, and identify unnecessary security risks. Commercial software inventory and vulnerability scanning tools can assist in this process.
- Enforce with allowlist. Many options exist for defining precise allowlist to govern what software, libraries, or scripts may execute on a system. A strong policy can impede attackers attempting to gain elevated access to a system.
Safeguards for Control 2
2.1) Establish and Maintain a Software Inventory
Description: Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the software inventory bi-annually or more frequently.
Notes: The security function associated with this safeguard is Identify. This safeguard is supported by safeguard 2.4 regarding automated software inventory. Automated tools can greatly help developing, and maintaining the software inventory required by this safeguard. Have a document or database ready for frequent updating to ensure you have the latest versions for software. Maintaining current software is critical as updates often resolve security problems.
2.2) Ensure Authorized Software is Currently Supported
Description: Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If the software is unsupported yet necessary for the fulfillment of the enterprise’s mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate it as unauthorized. Review the software list to verify software support at least monthly or more frequently.
Notes: The security function associated with this safeguard is Identify. Running unsupported software is a huge risk because of the increased risk that attackers will become able to exploit the software. If an unsupported software package is necessary for the enterprise, an exception must be requested to determine whether the risk can be accepted.
2.3) Address Unauthorized Software
Description: Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly or more frequently.
Notes: The security function associated with this safeguard is Respond. Leaving unauthorized software on an asset exposes the enterprise to unmanaged risk. The inventory produced by safeguard 2.1 should be compared against the active network on at least a monthly basis. It is critical to remove or quarantine any software that has been flagged.
2.4) Utilize Automated Software Inventory Tools
Description: Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of installed software.
Notes: The security function associated with this safeguard is Detect. Manually cataloging assets and software inventory can be a tedious task. It is time-consuming and can be riddled with user error. Selecting an automated solution is a must. Tripwire offers an automated tool, Tripwire IP360, which can scan the environments for new software and drive populating your inventory databases.
2.5) Allowlist Authorized Software
Description: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually or more frequently.
Notes: The security function associated with this safeguard is Protect. As in version 7, this is one of the most important safeguards to implement. Having the ability to allowlist software will help prevent unauthorized software from being installed on your organization’s assets. It is important to note the distinction here between a blocklist and an allowlist.
Blocklists prevent specific undesirable programs from executing while allowlisting limits execution when something has been explicitly permitted to run.
Allowlist can be defined on a range of attributes including file name/path/size or a known cryptographic has or signature. Enabling an allowlist of software will start the baseline for your scanning and allow you to have better insight for locating and isolating unauthorized software.
2.6) Allowlist Authorized Libraries
Description: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually or more frequently
Notes: The security function associated with this safeguard is Protect. Like safeguard 2.5, this safeguard plays on the same concept of allowlisting authorized software libraries. While some tools, like Applocker, are freely available, capability limits may push enterprises toward paid commercial software.
2.7) Allowlist Authorized Scripts
Description: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually or more frequently
Notes: The security function associated with this safeguard is Protect. Script interpreters are often needed for standard software installations and administrative tasks, but it can present a large security gap for an attacker. Creating an allowlist of authorized scripts restricts what an attacker can do on a compromised system. System admins have the added ability to define which users are able to run these scripts.
Read more about the 18 CIS Controls here:
CIS Control 1: Inventory and Control of Enterprise Assets
CIS Control 2: Inventory and Control of Software Assets
CIS Control 3: Data Protection
CIS Control 4: Secure Configuration of Enterprise Assets and Software
CIS Control 5: Account Management
CIS Control 6: Access Control Management
CIS Control 7: Continuous Vulnerability Management
CIS Control 8: Audit Log Management
CIS Control 9: Email and Web Browser Protections
CIS Control 10: Malware Defenses
CIS Control 12: Network Infrastructure Management
CIS Control 13: Network Monitoring and Defense
CIS Control 14: Security Awareness and Skill Training
CIS Control 15: Service Provider Management
CIS Control 16: Application Software Security
Get Foundational Security with the CIS Controls Monitoring
Use CIS Controls to establish solid protection against the most common attacks and use Tripwire to provide coverage for the controls.
