Table of Contents
Landmarks
CIS Critical Security Control 2: Inventory and Control of Software Assets
Overview
Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
Why is this Control critical?
A complete software inventory is a critical foundation for preventing attacks. Attackers continuously scan target enterprises looking for vulnerable versions of software that can be remotely exploited. For example, if a user opens a malicious website or attachment with a vulnerable browser, an attacker can often install backdoor programs and bots that give the attacker long-term control of the system. Attackers can also use this access to move laterally through the network. One of the key defenses against these attacks is updating and patching software. However, without a complete inventory of software assets, an enterprise cannot determine if they have vulnerable software, or if there are potential licensing violations.
Even if a patch is not yet available, a complete software inventory list allows an enterprise to guard against known attacks until the patch is released. Some sophisticated attackers use zero-day exploits, which take advantage of previously unknown vulnerabilities that have yet to have a patch released from the software vendor. Depending on the severity of the exploit, an enterprise can implement temporary mitigation measures to guard against attacks until the patch is released.
Management of software assets is also important to identify unnecessary security risks. An enterprise should review its software inventory to identify any enterprise assets running software that is not needed for business purposes. For example, an enterprise asset may come installed with default software that creates a potential security risk and provides no benefit to the enterprise. It is critical to inventory, understand, assess, and manage all software connected to an enterprises infrastructure.
Procedures and tools
Allowlisting can be implemented using a combination of commercial allowlisting tools, policies, or application execution tools that come with anti-malware suites and popular operating systems. Commercial software inventory tools are widely available and used in many enterprises today. The best of these tools provides an inventory check of hundreds of common software used in enterprises. The tools pull information about the patch level of each installed program to ensure that it is the latest version and leverage standardized application names, such as those found in the Common Platform Enumeration (CPE) specification. One example of a method that can be used is the Security Content Automation Protocol (SCAP). Additional information on SCAP can be found here: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST. SP.800-126r3.pdf
Features that implement allowlists are included in many modern endpoint security suites and even natively implemented in certain versions of major operating systems. Moreover, commercial solutions are increasingly bundling together anti-malware, anti- spyware, personal firewall, and host-based IDS and Intrusion Prevention System (IPS), along with application allow and block listing. In particular, most endpoint security solutions can look at the name, file system location, and/or cryptographic hash of a given executable to determine whether the application should be allowed to run on the protected machine. The most effective of these tools offer custom allowlists based on executable path, hash, or regular expression matching. Some even include a non- malicious, yet unapproved, applications function that allows administrators to define rules for execution of specific software for certain users and at certain times of the day.
- For cloud-specific guidance, refer to the CIS Controls Cloud Companion Guide https://www.cisecurity.org/controls/v8/
- For tablet and smart phone guidance, refer to the CIS Controls Mobile Companion Guide https://www.cisecurity.org/controls/v8/
- For IoT guidance, refer to the CIS Controls Internet of Things Companion Guide https://www.cisecurity.org/controls/v8/
- For Industrial Control Systems (ICS) guidance, refer to the CIS Controls ICS Implementation Guide https://www.cisecurity.org/controls/v8/
Safeguards
Number | Title/Description | Asset Type | Security Function | IG1 | IG2 | IG3 |
---|
2.1 | Establish and Maintain a Software Inventory | Applications | Identify |
Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the software inventory bi-annually, or more frequently. |
2.2 | Ensure Authorized Software is Currently Supported | Applications | Identify |
Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprises mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently. |
2.3 | Address Unauthorized Software | Applications | Respond |
Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently. |
2.4 | Utilize Automated Software Inventory Tools | Applications | Detect |
Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of installed software. |
2.5 | Allowlist Authorized Software | Applications | Protect |
Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently. |
2.6 | Allowlist Authorized Libraries | Applications | Protect |
Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently. |
2.7 | Allowlist Authorized Scripts | Applications | Protect |
Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently. |
CIS Critical Security Control 3: Data Protection