As I mentioned in our last post, the 20 critical controls are divided into System, Network, and Application families in order to simplify analysis and implementation. This also allows partial implementation of the controls by security program developers who aren't building a program from scratch, but want to apply all 20 of the controls. The first two controls of the Center for Internet Security's (CIS) Critical Controls are based around inventory; in my experience, they're also often overlooked by most security teams at the level that the CIS and NIST address them. Knowledge and control of inventory is an essential security architecture need - done properly, it gives the security team very strong awareness of the organization's network and personnel environment, and significantly improves detection and response aspects of any security program.
The second control, “Inventory of Authorized and Unauthorized Software” is split into 4 sections, each dealing with a different aspect of software management. Much like Control 1, “Inventory of Authorized and Unauthorized Devices”, this control addresses the need for awareness of what’s running on your systems and network, as well as the need for proper internal inventory management. The CIS placed these controls as the "top 2" in much the same way that the NIST Cybersecurity Framework addresses them as "priority 1" controls on the 800-53 framework; inventory and endpoint-level network awareness is critical to decent incident response, protection and defense.
What it is:
The Inventory of Authorized and Unauthorized Software is part of the “systems” group of the 20 critical controls. The theme of the control is fairly simple: You should be able to see what software is on your systems, who installed it, and what it does. You should be able use this information to prevent unauthorized software from being installed on endpoints. The control is well outlined in NIST Special Publication 800-167, and relates back to NIST 800-53 and Cybersecurity Framework recommendations. High-maturity organizations often address the automation and management sections of this control well, but Rapid7 sees gaps around software configuration control based on inventory due to the perceived complexity of implementing software inventory management systems, or endpoint management clients.
How to implement it:
Many of the methods used to implement the inventory of authorized and unauthorized software will also significantly improve the implementation of other controls relating to network access, asset configuration, and system management (Controls 1,6,10, 14, 15, 17 and 19). Specifically, Local Administrator access and install rights should not be granted for most users. This limitation also assists with other critical controls that deal with access and authentication. Limiting who can install software also limits who can click “ok” on installations that include malware, adware and other unwanted code. The added bonus to successful removal of admin rights is the lowering of the shadow IT footprint in most organizations, contributing to better internal communication and security awareness.
Once installation rights have been limited, any whitelisting or blacklisting processes should be done in stages, typically starting with a list of unauthorized applications (a blacklist), and finishing with a list of authorized applications that make up the whitelist. This can be rolled out as an authorized software policy first, and followed up with scanning, removal and then, central inventory control. Successful implementations of software inventory control often focus on bridging system configuration management services and software blacklisting and whitelisting. The inventory management portion is usually based on a software inventory tool or endpoint management services such as SCCM, Footprints, or GPO and local policy controls on windows.
Beyond administrator and installation rights limiting, and blacklisting, some form of integrity checking and management should be set up. This is possible using only OS-based tools in most cases, and Microsoft includes integrity management tools in Windows 10. Typically, OS level integrity management tools rely on limiting installation based on a list of trusted actors (Installers, sources, etc). In more comprehensive cases, such as some endpoint protection services, there are heuristic and behavior based tools that monitor critical application libraries and paths for change. Since integrity management is intrinsically tied to malware prevention and data protection, implementing this section of the control actually assists with Controls 8,9 and 14: Browser and e-mail configuration, Malware Defenses and Data Protection.
- Aside from AppLocker, Microsoft allows GPO based whitelisting for supported versions of Windows. These can be edited locally using “secpol.msc” on everything but the “Home” versions of Windows. Organizations with domain controllers or centrally managed Group Policy Objects can use the same process by accessing “software restriction policies” and adjusting the “designated file types” object to include authorized software. This method is effective for workstations with limited software needs, and single-purpose systems such as application servers or virtual machines that run dedicated software. Apple’s OSX and most flavors of Linux have similar features, although they may be a little harder to access.
- Most endpoint protection suites have some form of integrity protection included as an add-on. Your milage may vary with this, since it can be tricky to tune the alerts from these services, but they're a helpful addition to the software integrity side of things, and can be used as a primary means of integrity control in cases where there's already a good inventory in place.
- For more general-purpose workstations, a number of client based solutions exist, ranging from antivirus and endpoint protection suites that limit software from a central console to tools like Carbon Black, Power Broker, and the Authority Management Suite integrated into Dell’s KACE.
Software inventory management is an important enough topic in security that The National Institute of Standards and Technology has published a guide to implementing software whitelisting which covers most of Control 2. It's part of their cybersecurity series, and is available for free on the NIST website as a PDF or by searching the site for publication 800-167. As I mentioned above, this control, and the device inventory control are critical to having a responsive security program; getting the inventory side of the office in order will cut down on the amount of work needed when an incident arises, and will make policy development and enforcement far easier.