CIS Control 2: Are You Running Software Unaware?
My prior blog on CIS control 1 noted the importance of knowing every hardware device connected to a network. CIS control 2 also speaks to this type of basic security hygiene, only it is software and application specific. Often, attackers will look for unpatched or unsupported software to target, regardless of the system it is running on, or the type of business using it. It is a bootless errand to make sure everything hardware related is hardened as effectively as possible when deprecated or infected applications may be running in the background, allowing the point of attack all the previous hard work was meant to deny.
CIS Control 2: Inventory and Control of Software Assets
Critical Control 2 states: “Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution” (CISv7). This control is intended to prevent such things as zero-day exploits, when a previously unknown vulnerability is exploited, and other attacks through unpatched, known vulnerabilities in software applications. In order to successfully defend the software on a network, it is of vital importance to conduct a thorough and definitive software asset inventory. Like the physical asset inventory, the software asset inventory must be a live document that is constantly maintained and updated, possibly in concurrence with a patch and update list. At minimum this inventory should include the name of software and applications, along with known vulnerabilities and a system for keeping track of updates and patches. Like Control 1, Control 2 is subdivided into sub-controls to make adoption less onerous.
CIS Control 2: Sub-Controls
Sub-control 2.1: Maintain Inventory of Authorized Software.
This sub-control addresses the necessity of maintaining an up-to-date list of all authorized software necessary for an organization to run business systems for business purposes. Machines that have not been searched for all software are more likely to be running applications that may not be for business purposes, introducing an unnecessary risk. Unmonitored machines are more likely to harbor undetected malware. Once a single network foothold has been found, attackers will exfiltrate sensitive data and leverage this infected machine into several infected machines and networks as well. The infected machines may also be used as part of a DoS/DDoS campaign. Sustained and managed software control plays a critical role in executing backup, as well as planning and implementing incidence response and recovery.
Sub-control 2.2: Ensure Software is Supported by Vendor.
When software is supported by the vendor, that means there will be published lists of vulnerabilities and patches, and these will be offered to the users. When software is no longer supported by the vendor, then these patches and updates do not occur, leaving a system at risk. Many attackers will search for outmoded software usage and attack through known vulnerabilities. If any software is running that is unsupported, it should be noted in the inventory, and alternatives considered where possible.
Sub-control 2.3: Utilize Software Inventory Tools.
This will greatly simplify the software documentation process. Offerings run from commercial to open source and encompass a range of prices, so that there is a product for budget.
Sub-control 2.4: Track Software Inventory Information Software.
As previously mentioned, the inventory should record the name, version, publisher and date of installation, as well as state the authorized operating systems.
Sub-control 2.5: Integrate Hardware and Software Asset Inventories.
It is recommended to tie the hardware and software asset inventories to each other so they may be managed from one central location, for ease of management.
Sub-control 2.6: Address Unapproved Software.
This is a good point in the process to address the issue of any unauthorized software that may have been found. It is good if there is a company policy for unauthorized software usage, but for our purposes the software should be either removed or added to the inventory.
Sub-control 2.7: Utilize Application Whitelisting.
Application whitelisting is the creation of an allowable software list. Only software on this list will start and run on the system. Anything not on the list will be prevented from starting and running.
Sub-control 2.8: Implement Application Whitelisting of Libraries.
This is the process of allowing only certain types of software to run, such as “dll.”, “ocx.”, etc. These specifications can help prevent malicious versions of acceptable software from running.
Sub-control 2.9: Implement Application Whitelisting Scripts.
Application whitelisting must also protect the system against any unauthorized scripts.
Sub-Control 2.10: Physically or Logically Separate High-Risk Applications.
Some applications may be needed to conduct business, but are inherently riskier than other applications. These applications should be isolated by segmentation or with a dedicated operating system and workstation.
At this time, whitelisting programs are often being bundled with firewalls and IDS/IPS. Most offer customizable whitelisting, and some allow for “gray” list functions, such as allowing administration to determine what programs can use what resources at what time of day.
CIS Control 2 and Beyond
Of course, implementing the CIS controls is not something that can be accomplished in a short amount of time, and many seek specialized help. Alpine Security offers assistance to businesses of any size to ascertain how far they have already complied, and in what areas they may still need to make changes. If the list seems long and the task ahead daunting, our specialists can help break things down and give your organization a roadmap to completion. Alpine Security offers a free consultation on our Enterprise Security Audit (ESA) Service. The ESA is based on the Top 20 Critical Controls published by the Center for Internet Security. The ESA is intended to provide a comprehensive picture of where an organization currently falls in Critical Control Implementation, while also delineating a roadmap for full implementation. With the increase in variety and methods of attack on organizations of all sizes and types, running malicious software unaware can become much more costly than the time spent making sure an organization knows everything that should be running on their system, and more easily able to spot when something should not be.
Mary Thierry is a Cybersecurity Analyst and Office Manager with Alpine Security. She is earning her Master’s Degree in Cybersecurity from Maryville University in Missouri. Mary was raised in rural Illinois on a farm, in a town with 500 people in it. If you ask her nicely, Mary will tell you how to start heavy machinery on a cold morning, the best types of fertilizer, and the best places to build a deer stand. Earlier in her career, Mary taught special education, and then worked as a higher education facilitator for disadvantaged teens. Mary has a disabled daughter and is an advocate for persons with disabilities. Outside work, Mary loves to spend time with her family, bake, read Science Fiction/Horror and attend Yoga classes.