You are here

CIS Controls - picture

Priority # 2– Manage Software on Your Network

The first 5 CIS Controls

CIS notes that it is important to make a formal, conscious, top-level decision to make the CIS Controls part of the organization’s standard for cybersecurity. Senior management and the Board of Directors should be onboard for support and accountability and should implement the first 5 CIS Controls in their organizations as a minimum requirement.

  • CIS Control 1 - Inventory of Authorized & Unauthorized Devices
  • CIS Control 2 - Inventory of Authorized & Unauthorized Software
  • CIS Control 3 - Secure Configurations for Hardware & Software on Mobile Devices, Laptops, Workstations, & Servers
  • CIS Control 4 - Continuous Vulnerability Assessment & Remediation
  • CIS Control 5 - Controlled Use of Administrative Privileges

* CIS is a forward-thinking nonprofit entity that harnesses the power of the global IT community to safeguard private and public organizations against cyber threats. Visit https://www.cisecurity.org/controls/ for more information.

CIS Control 2

This week we start by taking a more in-depth look at CIS Control 2.

CIS Control 2
Inventory of Authorized and Unauthorized software

Scope
Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and unauthorized and unmanaged software are found and prevented from installation or execution.

Basic question every corporate leader should be able to answer (Cyber Hygiene Campaign):
Do we know what software is running (or trying to run) on our systems and networks? 

In addition to this article about CIS Control #2, see also https://www.cisecurity.org/keeping-a-watchful-eye-on-software/ .

The CIS Controls are a general set of recommended practices for securing a wide range of systems and devices. The CIS Controls (formerly known as Critical Security Controls) are a prioritized list and highly focused set of actions you can follow to protect and defend your company against cyberthreats. The CIS Controls have been developed after studying actual attacks and effective defenses. The Controls are developed, refined and validated by a community of leading global experts. They align with and map to all of the major compliance frameworks such as NIST Cybersecurity Framework, NIST             guidelines, and the ISO 27000 series

Why is this control important?

Attackers continuously scan target organizations looking for vulnerable versions of software that can be remotely exploited.

Some attackers also distribute hostile web pages, document files, media files, and other content via their own web pages or otherwise trustworthy third-party sites. When unsuspecting victims access this content with a vulnerable browser or other client-side program, attackers compromise their machines, often installing backdoor programs and bots that give the attacker long-term control of the system. Some sophisticated attackers may use zero-day exploits, which take advantage of previously unknown vulnerabilities for which no patch has yet been released by the software vendor. Without proper knowledge or control of the software deployed in an organization, defenders cannot properly secure their assets.

Hacker scanning system for vulnerable software - picture

Figure 1: Hacker scanning system for vulnerable software

Poorly controlled machines are more likely to be either running software that is unneeded for business purposes (introducing potential security flaws), or running malware introduced by an attacker after a system is compromised. Once a single machine has been exploited, attackers often use it as a staging point for collecting sensitive information from the compromised system and from other systems connected to it. In addition, compromised machines are used as a launching point for movement throughout the network and partnering networks. In this way, attackers may quickly turn one compromised machine into many. Organizations that do not have complete software inventories are unable to find systems running vulnerable or malicious software to mitigate problems or root out attackers.

You do not want a Trojan horse in your system - picture

Figure   2: You do not want a Trojan horse in your system

What do you need to do to implement CIS Control #2?

The main actions an organization should take in regards to CIS Control #2 are:

  1. Identify and document all software
  2. Develop a whitelist of approved software
  3. Apply tools that can scan your system (computers, servers, devices and network equipment) that can identify what software that is installed in your different systems
  4. Keep whitelist updated and perform regular scanning and verification

Identify and document all software
Documentation can be a major effort, especially for large organizations. You must identify and document not only the applications and operating systems installed on PCs and servers, but also on network equipment and devices like cameras, door controllers and intercom as well.

Develop a whitelist of approved software
Whitelisting means that only pre-authorized software may be installed. Your whitelist of approved software can be as short or extensive as your organization needs; the goal is to know, control and continually manage what’s on your network.

Keep in mind that organizational policies can help communicate which software has been approved, the process for adding software to your whitelist, and the dangers of introducing unauthorized software onto your networked devices.

Apply tools that can scan your system
Once the whitelist is completed, you should regularly scan the network to identify if software installed on the network is according to the whitelist of approved software.

In order to have effective and regular scanning of your system, you must have tools to support you in this work.

Vingtor Stentofon Intercom Management Tool - picture

Figure 3: Vingtor-Stentofon Intercom Management Tool - Automates process for CIS Control #2.

Vingtor-Stentofon Intercom Management tool

The VS Intercom Management tool help you to automate the process for CIS Control #2. The tool allows you to do a scan of your network to discover all VS Intercom devices and  to identify software there is installed and executed on the device. You can then easily see if you have software not according to the whitelist. If the tool finds a device running un-authorized software, the tool can also help you to install the authorized version.

Terminology

CIS® (Center for Internet Security®)
CIS is a forward-thinking nonprofit entity that harnesses the power of the global IT community to safeguard private and public organizations against cyber threats. Our CIS Controls and CIS Benchmarks are the global standard and recognized best practices for securing IT systems and data against the most pervasive attacks. These proven guidelines are continually refined and verified by a volunteer global community of experienced IT professionals. CIS is home to the Multi-State Information Sharing & Analysis Center (MS-ISAC®), the go-to resource for cyber-threat prevention, protection, response, and recovery for state, local, tribal, and territorial governments.

CIS® Controls
This is a prioritized list of highly focused actions you can follow to protect and defend your company against cyber threats. The CIS Controls have been developed after studying actual attacks and effective defenses.

The Internet
The Internet is a network of networks linking millions of private, public, academic and business networks to reach billions of users. The Internet uses the TCP/IP set of network protocols and began as a U.S Department of Defense network to link scientists and university professors around the world.

The Internet - picture

Figure 4: The Internet - The Network of Networks

AAA server (Authentication, Authorization and Accounting)
An AAA server is used to manage user credentials and network access. AAA servers were first used to manage internet access for data modem. It is now used to manage network access for many technologies including Wi-Fi, wired, xDSL, VPN and more. An AAA server allows an enterprise to manage user credentials from one central location.

Radius (Remote Authentication Dial In User Service)
Radius is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use a network service. Authentication and authorization characteristics in RADIUS are described in RFC 2865 while accounting is described by RFC 2866.

IEEE802.1X
IEEE 802.1X is an IEEE Standard for port-based Network Access Control. It provides an authentication and authorization mechanism to devices wishing to attach to a LAN or WiFi network.

 

Location: Global