Views:
FRAMEWORKS AND STANDARDS

Control 02: Inventory and Control of Software Assets

An overview of the CIS Control 02

Published Date: August 15, 2024

Product Line: CIS Controls

Audience: Executives, Security Administrators

Get your copy of the CIS Controls V8.1 here.

Overview

This control refers to actively managing (inventorying, tracking, and correcting) all software (operating systems and applications) on the network so that only authorized software is installed and executed and that unauthorized and unmanaged software is detected and prevented from installing or executed.

Why is this control critical?

A complete software inventory is critical for preventing attacks. Threat actors continuously scan target enterprises, looking for vulnerable versions of software that can be remotely exploited. For example, if a user opens a malicious website or attachment with a vulnerable browser, an attacker can often install backdoor programs and bots that give the attacker long-term control of the system. One of the key defenses against these attacks is updating and patching software. However, without a complete inventory of software assets, an enterprise cannot determine if they have vulnerable software or if there are potential licensing violations. Even if a patch is not yet available, a software inventory list allows an enterprise to guard against known attacks until the patch is released.

Procedures and tools

Allowlisting can be implemented using a combination of commercial allowlisting tools, policies, or application execution tools that come with anti-malware suites and popular operating systems. Commercial software inventory tools are widely available and used in many enterprises today. These tools create software inventories, check patch levels, and use standardized names like those in the Common Platform Enumeration (CPE). Methods like the Security Content Automation Protocol (SCAP) help with this process. Modern endpoint security solutions bundle anti-malware, personal firewalls, and application allow/block listing features. They use executable names, file locations, or cryptographic hashes to allow or block software execution, with some offering custom rules for specific users or times of day.

Safeguards

  1. Establish and maintain a software inventory (IG1, IG2, IG3): The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the software inventory bi-annually, or more frequently.

  2. Ensure authorized software is currently supported (IG1, IG2, IG3): If software is unsupported, yet necessary for the fulfillment of the enterprise’s mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate it as unauthorized. Review the software list to verify software support at least monthly, or more frequently.

  3. Address unauthorized software (IG1, IG2, IG3): Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.

  4. Utilize automated software inventory tools (IG2, IG3): Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of installed software.

  5. Allowlist authorized software (IG2, IG3): Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.

  6. Allowlist authorized libraries (IG2, IG3): Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.

  7. Allowlist authorized scripts (IG3): Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.

Keywords: Control 2, Inventory, Software, Assets