Inventory and Management of Software Assets - Top 20 Security Controls

February 2021 | Michael Wetherald

Top 20 Critical Security Controls Series

In this article, we continue our blog series on the industry standard top 20 critical security controls -- sometimes referred to as the SANS top 20 or CIS Critical Security Controls. These controls provide your organization a set of best practices for protecting your organization from the most common attacks faced around the world.

POSTER | SANS 20 CRITICAL SECURITY CONTROLS - DL & Print crucial info for defending your org. http://t.co/MbpeDjiwRz pic.twitter.com/nqWx9oRl5t

— SANS Institute (@SANSInstitute) July 3, 2015

Basic Security Controls

Controls 1-6 are considered the basic controls every organization should employ to have a solid foundation to build from:

• Inventory and Management of Hardware Assets
• Inventory and Management of Software Assets
• Vulnerability Management
• Controlled Use of Administrator Privileges
• Secure Configuration for Hardware and Software
• Maintenance, Monitoring and Analysis of Audit Logs

#2: Inventory and Management of Software Assets

The software running on your hardware is what makes it vulnerable. If you want a completely secure computer, remove all of the software running. Obviously that is not a reasonable solution, but it illustrates where the problem truly lies. In order to secure your devices and protect your organization, you need to manage software that is allowed to run in your environment.

Why Is This Control Important?

Without controlling the software is allowed to run in your environment, you create an environment where malware and vulnerable software can live and cause problems. Malware and viruses can be thought of as unauthorized software running on your devices. With proper control and inventory of software authorized to run in your organization, you can develop a strategy for ensuring that software is patched in a reasonable time frame, and unauthorized software is prevented from even getting executed.

How to Implement This Control

The two main areas of focus for this control are inventory of authorized and installed software, and application whitelisting to detect and prevent unauthorized software.

Maintain Detailed Inventory of Authorized Software

We first need a list of software which is authorized and necessary for business purposes on all business systems. When implementing security control #1 Inventory and Management of Hardware Assets, you have a created database of all business systems. When auditing these systems for the software which is installed on them, we will have a list of all software installed in the environment. We can then determine if that software is necessary for business purposes and include it in the authorized list.

Ensure Authorized Software is Supported by Vendor

All software contains security vulnerabilities, the cat and mouse game involves resolving those vulnerabilities before attackers can exploit them. If a piece of software is no longer supported, and therefore not receiving security patches, your system will remain vulnerable, waiting for the first attacker to come by and exploit it.

Software Inventory Tools

Use tools which will automatically audit the software (! including the operating system) installed and running on your business systems. Auditing each of your systems by hand would take far too long especially as software is constantly updated and conditions change. Your software inventory tool should log at least the following information into your software inventory:

• Name
• Version
• Publisher
• Install Date

Integrate Hardware and Software Inventories

The hardware inventory generated via control #1 should be integrated with the software inventory you generate implementing this security control. This allows you to track all the necessary information in one place.

Address Unauthorized Software

When your automated software inventory tool finds unauthorized software installed on machines you need to have a procedure in place to address that software. Do you dispatch support staff to uninstall the software? Do you isolate the machine on the network? Does your staff need to be alerted immediately? Who is allowed to update the authorized software list? You need a plan to address this situation.

Application Whitelisting

Application whitelisting is a technology to implement on all business systems to prevent the execution of unauthorized software. Ensure that software library files (.dll, .ocx, .so, etc.) are whitelisted to ensure only authorized libraries are allowed to load into system processes. The same applies for scripts (.py, .js, macros, .ps1, etc.), which should be digitally signed to ensure integrity.

Physically or Logically Segregate High Risk Software

Some systems will come with higher risk to your organization. The failure or compromise of those systems might be catastrophic to your organization. Isolate and control access to those systems more carefully to reduce the likelihood of a compromise.

Conclusion

Be sure to check out the next article in our series, where we cover security control #3 Vulnerability Management

Inventory and Management of Software Assets is a crucial control for developing the security program at your organization. Viam is here to help guide you through implementing this control at your organization. Contact us today if you are ready to take steps to reduce the cybersecurity risk in your organization.