Control Summary
Actively manage all software on the network so that only authorised software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
Why is it needed?
A comprehensive software inventory forms the crucial cornerstone in safeguarding against cyberattacks. Attackers are constantly probing corporate targets in search of software versions with vulnerabilities ripe for remote exploitation. For instance, should a user access a malicious website or open an attachment using a vulnerable web browser, the attacker can often implant backdoor programs and bots, establishing lasting control over the system. With this access, attackers can also pivot through the network. One of the primary countermeasures against such threats lies in keeping software updated and patched.
However, in the absence of a thorough catalog of software assets, an organisation cannot ascertain the presence of vulnerable software or potential breaches of licensing agreements. Even if a patch is not yet available, maintaining a comprehensive software inventory empowers an organisation to fortify itself against known vulnerabilities until the patch becomes accessible. Some highly skilled attackers employ “zero-day exploits,” which capitalise on previously undisclosed vulnerabilities that lack patches from the software vendor.
Implementing Control
We recommend that before any other steps are taken in this control, that organisations limit local administrator rights and installation rights. This will help reduce the amount of unauthorised or unmanaged software that will require removal.
Implementation Group 1 requires the following three safeguards:
2.1 Establish and Maintain a Software Inventory
Commercial tools for software inventory are widely available and check for commonly used enterprise software. These tools also identify the patch level of each installed program to ensure they are up to date and can be utilised to create an initial software inventory.
2.2 Ensure Authorised Software is Currently Supported
When managing this software inventory, the implementation of allowlisting can be used. Whitelisting and blacklisting can be introduced in stages, starting with a list of “unauthorised” applications commonly called a “blacklist”. A list of authorised applications then makes up the “whitelist”. This process should be documented as a policy and followed up with scanning, and removal of unauthorised software. Contemporary endpoint security solutions often support allowlisting, as do many operating system versions. Some even allow custom allowlists that determine whether an application should be run based on executable path, hash, or regular expression matching.
2.3 Address Unauthorised Software
The basic safeguards that any business must implement in this control include the establishment and maintenance of a software inventory, removing unauthorised software from the network monthly, and ensuring authorised software is currently supported. More advanced safeguard steps include using automated inventory tools, implementing allowlisting of software and libraries and scripts.
Additional safeguards at level 2 or 3:
2.4 Utilise Automated Software Inventory Tools
2.5 Allowlist Authorized Software
2.6 Allowlist Authorised Libraries
2.7 Allowlist Authorised Scripts
Incident Response Solutions 