CIS Control 2: Inventory and Control of Software Assets
Today, I will be going over CIS Control 2 from version 8 of the top 18 CIS Controls – Inventory and Control of Software Assets. Version 7 of CIS Controls had 10 requirements, but in version 8, it’s simplified down to seven safeguards. I will go over those safeguards and offer my thoughts on what I’ve found.
Key Takeaways for Control 2
- Reusability. The tools that were mentioned in CIS Control 1 will also be used in CIS Control 2. Reusing tools that accomplish goals for both Controls 1 and 2 can help cut costs as well as help you gain familiarity and knowledge of the extent of the tools’ capabilities.
- Establish a secure baseline. Establishing a baseline of installed software enables an organization to respond to active threats, avoid license violations, and identify unnecessary security risks. Commercial software inventory and vulnerability scanning tools can assist in this process.
- Enforce with allowlist. Many options exist for defining precise allowlist to govern what software, libraries, or scripts may execute on a system. A strong policy can impede attackers who might be attempting to gain elevated access to a system.
Safeguards for Control 2
2.1) Establish and Maintain a Software Inventory
Description: Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry. Where appropriate, it must also include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. It’s important to review and update the software inventory bi-annually or more frequently.
Notes: This safeguard is supported by safeguard 2.4 regarding automated software inventory. Automated tools can greatly help with developing and maintaining the software inventory, as required by this safeguard. Have a document or database ready for frequent updating to ensure you have the latest software versions. Maintaining current software is critical, as updates often resolve security problems.
2.2) Ensure Authorized Software is Currently Supported
Description: Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported yet necessary for the fulfillment of the enterprise’s mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly or more frequently.
Notes: Running unsupported software elevates the risk that attackers will be able to exploit the software for malicious ends. If an unsupported software package is necessary for the enterprise, an exception must be requested to determine whether the risk can be accepted.
2.3) Address Unauthorized Software
Description: Ensure that unauthorized software is either removed from use on enterprise assets or that it receives a documented exception. Review monthly or more frequently.
Notes: Leaving unauthorized software on an asset exposes the enterprise to unmanaged risk. The inventory produced by safeguard 2.1 should be compared against the active network on at least a monthly basis. It is critical to remove or quarantine any software that has been flagged.
2.4) Utilize Automated Software Inventory Tools
Description: When possible, utilize software inventory tools throughout the enterprise to automate the discovery and documentation of installed software.
Notes: Manually cataloging asset and software inventory can be a tedious task. It is a time-consuming process, and it can be riddled with user error. Selecting an automated solution is a must. Tripwire offers IP360, an automated tool which can scan environments for new software and drive populating your inventory databases.
2.5) Allowlist Authorized Software
Description: Use technical controls such as application allowlisting to ensure that only authorized software can execute or be accessed. Reassess bi-annually or more frequently.
Notes: As in version 7, this is one of the most important safeguards to implement. Having the ability to allowlist software well help prevent unauthorized software from being installed on your organization’s assets. It is important to note the distinction here between a blocklist and an allowlist. Blocklists prevent specific undesirable programs from executing, while allowlisting limits execution when something has been explicitly permitted to run. An allowlist can be defined on a range of attributes including file name/path/size or a known cryptographic hash or signature. Enabling an allowlist of software will start the baseline for your scanning and allow you to have better insight for locating and isolating unauthorized software.
2.6) Allowlist Authorized Libraries
Description: Use technical controls to ensure that only the files from authorized libraries such as .dll, .ocx, .so, etc. are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually or more frequently
Notes: Similar to safeguard 2.5, this safeguard plays on the same concept of allowlisting authorized software libraries. While some tools like Applocker are freely available, capability limits may push enterprises toward paid commercial software.
2.7) Allowlist Authorized Scripts
Description: Use technical controls such as digital signatures and version control to ensure that only authorized scripts such as specific .ps1, .py, etc. files are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually or more frequently
Notes: Script interpreters are often needed for standard software installations and administrative tasks, but they can present a large security gap for an attacker. Creating an allowlist of authorized scripts restricts what an attacker can do on a compromised system. System admins have the added ability to define which users are able to run these scripts.
Read more about the 18 CIS Controls here:
CIS Control 1: Inventory and Control of Enterprise Assets
CIS Control 2: Inventory and Control of Software Assets