Budgetless CIS Top 20: Control 2: Software Assets

Summary: Actively manage (inventory, track and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution

This is another “easy” one, at least at it’s most simple and basic level. Many of the free tools we talked about for control 1 (Spiceworks, Lansweeper, PDQ Inventory) will all do this from an inventory perspective, meaning they will scan your network and let you know everything (including which version numbers and patch level) are on your network. This is important as they may show you that a couple machines have different patch levels on a certain piece of software, say Adobe or Chrome or whatever, and you know then that the machine missed a patch or two and you can update it, either with your patching software or manually and reduce your risk of unpatched vulnerabilities coming back to haunt you. This will also help you identify any malicious or malware programs installed on any of your machines.

Like with Control 1, there are varying degrees of subcontrols, but I encourage you to start small and do what you can do.

2.1 Maintain Inventory of Authorized Software – This can be simple, just a spreadsheet or database somewhere to track what is allowed or required for business use. Your Spiceworks or software scan will be a great start to putting that together.

2.2 Ensure Software is Supported by the Vendor – This one is tougher, especially since a lot of software might not actually be “supported” such as custom or free, for example, I’m using Notepad++ because it’s the far superior Notepad software and I’m sure all your developers, sys admins, etc are too. But its not really “supported.” For these, you should just notate or tag those in your software inventory.

2.3 Utilize software inventory tools. – As mentioned in the first paragraph, there are lots of free software inventory scanning tools.

2.4 Track Software Inventory Information – The above software from 2.3 should include name, version, publisher and install date for all software, including operating systems. Even the free ones do this, so it’s pretty simple to make sure you have this information.

2.5 Integrate Hardware and Software Asset Inventories – When selecting software to assist with these controls, make sure you select one that does both the hardware and software scanning, like all the free ones I’ve mentioned, it’ll tie them together automagically for you.

2.6 Address Unapproved Software – If you find a piece of software is outdated, have a process in place to update it in a timely manner, otherwise, ensure it is removed from the network. Spiceworks will allow you to tag software as ‘Unwanted’ and then it will alert you whenever unwanted software is found on the network.

2.7 Utilize Application Whitelisting / 2.8 Implement Application Whitelisting of Libraries / 2.9 Implement Application Whitelisting of Scripts – I’m combining these as they are similar and are all difficult to do without spending a decent amount of money. Whitelisting is arguably the future of endpoint security and it should definitely be in your budget planning in the near future if it isn’t already, but if you can’t afford it, there are a couple things you can do here. If you upgrade your Windows license to Enterprise, you can use AppLocker and do alot of this but its very administratively heavy. I’m going to link to two articles on using Group Policy to limit where applications can run from, what kind of files can execute, etc and that will certainly make you more secure and get you about as close as you can get to application whitelisting without spending some major cash. Deploying a whitelist Software Restriction Policy to prevent Cryptolocker and Create an Application Whitelist Policy in Windows

2.10 Physically or Logically Segregate High Risk Applications – If you are using virtualization software, you can create virtual machines that are locked down running your higher risk applications that users remote into to use and then you can put those on a separate VLAN to segregate them further. You can also use Sandboxie to isolate a program.