Critical Security Controls – What’s installed, running, and able to run on your business computers
Critical Security Control 2 advances the framework into the inventory and control of Software installed and running on the computer assets within an organization.
CSC 2 – Inventory and Control of Software Assets
Software is what delivers the value through the complex systems we call “computer networks”. The same utility that an organization derives from its software, so too can attackers. Attacks against vulnerable software can lead to system compromise and ultimately remote exploitation. These range from weaponized document files, to media files, to complex internet browser-based attacks through compromised websites. Each piece of software introduces potential vulnerabilities and risks into the organization. Unneeded, malicious, and/or out-of-date software each introduce an additional vector of attack which can be used to gain a foothold into a business computer network.
Critical Security Control 2 demands that business network administrators quantify what software is both approved to run and what is installed on all business computers. With modern technology i.e. mobile phones, tablets, laptops, etc., controlling what is installed on each mobile device is more critical than ever. If restricting access to corporate information systems by non-company-owned devices isn’t an option, then implementing strong compensation security controls could be critical to limiting attack surface and ensuring the security & privacy of business information on these devices. Deploying meaningful unauthorized software mitigation tools, such as Application whistling or Application Execution Limitation implements all of the requirements of the second control.
CSC 2 serves as the foundation of systems functionality onto which many of the additional controls are built upon. It affords system administrators the ability to know and control what software should be allowed on each network-attached device and reconcile that which is installed against this list. Furthermore, it provides a policy foundation from which an organization’s business software decisions can be based while defining a continuum of software supportability.
For a deeper understanding of CSC Control 2, check out CIT’s CSC Controls 2 blog.