Notes from the Field: CIS Control 2 – Inventory and Control of Software Assets
by Greg Halpin / May 5th, 2023
Many of the clients I work with are startup companies that have amazing technologies and services but don’t have mature information security programs in place. They often don’t know which information security framework to follow or how to implement them. Some frameworks are either too vague or too long and detailed to be useful. That’s why I recommend the CIS Controls to my clients to help them get started on their information security journey. The CIS Controls document offers concise and specific direction for high level executives and for information technology and security professionals.
The Center for Internet Security (CIS) Controls Version 8 consist of 18 critical information security controls that all organizations and information security professionals should be familiar with and implement to protect their networks and data. In this post, let’s discuss what controls your organization should have in place according to Control 02 – Inventory and Control of Software Assets.
The CIS overview for Control 02 – Inventory and Control of Software Assets is – Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
Controls 02 includes 7 sub-controls or safeguards, as the CIS Document refers to them. They are:
2.1 Establish and Maintain a Software Inventory
2.2 Ensure Authorized Software is Currently Supported
2.3 Address Unauthorized Software
2.4 Utilize Automated Software Inventory Tools
2.5 Allowlist Authorized Software
2.6 Allowlist Authorized Libraries
2.7 Allowlist Authorized Scripts
Why is Inventory and Control of Software Assets critical? A complete software inventory is critical in preventing attacks, the CIS document states, as an organization cannot protect against attacks if it doesn’t know it has vulnerable software. With a complete software inventory an organization knows if it is susceptible to new vulnerabilities, particularly zero-day exploits. It can then take appropriate and quick action to protect or remediate the vulnerable software.
On a recent SOC 2 gap assessment, the client gave me a demonstration of their services. This is important to understand the infrastructure and software used in support of their services. The company offers several Software as a Service (SaaS) products. Some of the services are restricted to allowed IPs via VPN connections. One, however, is a public facing web application that the IT and IT security managers were unaware of, an unpleasant surprise for them.
The web app, it turns out, is a special project of the semi-retired company founder. It has a niche but lucrative customer base. A developer, who reports directly to the company founder, is dedicated to the project and is responsible for the web servers that host the application as well as the database servers supporting it. The servers are not part of the official IT system inventory, nor is any of the software installed on the web and database servers. As part of the assessment, it was important to find out what was going on. The IT and IT security managers were eager as well.
I instructed the developer to use RDP to connect to and log on to one of the web servers. And what do we find…a Windows 2008 server, which went end of life almost two years earlier. The IT managers were visibly stunned at the discovery. The server was running IIS 7, also end of life. A quick SSL Labs test of the server’s URL showed it still used SSL 3.0, which was deprecated in 2015. This web server had been vulnerable for years to a number of critical vulnerabilities and could have been compromised…maybe it already was. Just as troubling is that the IT and IT security teams did not know about these servers. Nor did they make much of an effort to find out.
How did the IT and IT security teams not know about these systems and the older software on them? This is more common than you might expect. When we do a walkthrough of services with clients, we uncover a lot of hidden secrets on company networks, pet projects for which the regular rules don’t apply, orphaned systems that no one manages. All waiting to be exploited.
We investigated why these systems and software were not inventoried. The company has an inventory tool in place that scans the network every week for hardware and collects software. After just a few minutes, we learned the system and software inventory tool was misconfigured. The subnet with the servers was not included in the inventory scan. Further investigation revealed additional active subnets were missing from the regular scans as they were thought to be unused. The problem was the staff accepted the results of the tool without comparing them against other sources, including their own list of active networks and their list of services.
The IT and IT security teams got right to work confirming all of their subnets were included in the inventory scans and vulnerability scans, even the ones that were previously identified as unused. Rather than ignore the unused subnets, they were set up with their own scans to identify rogue systems in the future. Checking back on this a few hours later, several other special project servers with older operating systems and software were identified. The IT and IT security managers were clearly frustrated.
What do the IT and IT security teams need to do? They need to require in policy and implement CIS Control 02 and its sub-controls. Many people in the field think this is busy work and a waste of time. It simply points to their lack of understanding information security fundamentals. You can only protect what you know about. To secure company and customer data, it’s imperative to maintain a complete software inventory. It’s easier for smaller environments, more challenging for larger environments. Still, there are many automated tools available that collect system and software, some of which are free. Manual reviews can be done in smaller environments. Spot checks can be done in larger environments. Regardless, this task needs to be assigned to and owned by someone or a team.
In support of the sub-controls for allowing only approved software and scripts, there are many tools companies can leverage for approving and blocking software so only the software that the IT department approves can run on systems. Most operating systems have this functionality. Endpoint Detection & Response (EDR) solutions also offer this functionality and provide additional security protections against malware and intrusions.
Work with a KirkpatrickPrice Expert to Create the Security Program Your Organization Deserves
Implementing CIS Control 02 and its sub-controls will help protect your network and data. The next time there is zero-day vulnerability, you can review your current and complete software inventory and know which systems, if any, are affected. You can take action to remediate the vulnerability and secure your environment.
To learn more, be sure to connect with a KirkpatrickPrice expert today.
About the Author
Greg Halpin has 25 years of experience in information technology and security. He has a Master’s in Information Sciences – Cybersecurity and Information Assurance from Penn State University, and he has earned the CISSP, CISA, and CCSP certifications. He enjoys working with people and organizations to help them secure their networks and systems. Greg lives in Happy Valley, PA.
