In my last blog post, I discussed the history of the CIS 20 Critical Security Controls and the relevance they hold for organizations today. In my second post on this topic, let’s dive a bit deeper in CSC 2 security control, which is very tightly aligned with CSC 1 (Inventory of Authorized and Unauthorized Devices) control. One of the primary purposes of knowing and controlling what devices are allowed on the network is to be able to know and control what software is allowed on the network. In many aspects, the inventory of software is more critical than the inventory of hardware, since software is what contains the majority of vulnerabilities that are exploited by adversaries. The only way to ensure a complete and accurate inventory of software is to ensure there is a complete and accurate inventory of hardware. This tight alignment of controls is why several of the solutions available for CSC 1 are also able to fulfill the needs of CSC 2.
The intent of the CSC 2 control is to actively manage, inventory, and track all software on the network. Administrators should ensure that only authorized software is installed and can execute on authorized devices. Unauthorized or unmanaged software should be prevented from installation or execution.
Generally, software is where exploitable vulnerabilities exist, and adversaries are continually looking for vulnerable versions of software that can be used to gain access to a system. Through proper software management, organizations are able to eliminate many of the exploits used by those adversaries. Proper management, though, is not just maintaining an inventory of what software exists on the network, but it is also the ongoing maintenance of that software. Through the proper and timely application of patches and updates, organizations limit their exposure to remote attacks.
To organize the control into a more logical set of process, CSC 2 has been broken down into four sub-controls.
Sub-Control 2.1 Specifies that organizations should create a list of authorized software and versions that are required within the organization. As mentioned earlier, this control is closely aligned with CSC 1, so the list of authorized software should also align with authorized systems on the network—such as servers, workstations, mobile devices, etc. File integrity monitoring should also be used to ensure authorized software is not modified.
Sub-Control 2.2 Specifies using application whitelisting to leverage the list of authorized software created in sub-control 2.1. Application whitelisting should allow for authorized applications to run while preventing execution of any other software on the system. The whitelist can be extensive or very narrow, depending on the intended functionality of the end device.
Sub-Control 2.3 Specifies the use of automated software inventory tools throughout the organization. The inventory system should be able to track both the device operating systems and applications running on them. Ideally, the software inventory will be coupled with the hardware inventory from CSC 1 to provide centralized management of both.
Sub-Control 2.4 Specifies that higher-risk applications should be run on virtual machines or air-gapped systems. This limits exposure to other devices on the general network.
Today, there are several solutions on the market that can assist with, and even automate, many of the tasks within the CSC 2 sub-controls. While there is no single solution that is right for every organization, a thorough evaluation of the organization’s environment, goals, and objectives can help determine which solutions are right for them.
ePlus provides assessments that help gauge the effectiveness of your current security program, and help you better protect your organization. We create custom, integrated security programs through a unique holistic approach centered on culture and technology. For more information about how you can implement the recommendations of the CSC1 sub-controls, visit https://www.cisecurity.org/controls/ or contact us at email@example.com. You can also contact your ePlus Account Executive directly.