Control 2: A Framework for an Offense-informed Defense
As we discussed in our earlier blog post the 20 Critical Security Controls provide a framework in which an organization’s defense can be informed by offensive techniques. We’ve related this to how law enforcement have used successful financial crimes to inform the defense of the financial sector. In this installment, we’re examining Control Two. This control is a ‘Basic control’ and represents one which every organization, regardless of size, in which information (or their client’s/customer’s/partner’s information) is considered an asset should be meaningfully adopted. Control 2 advances the framework into the inventory and control of Software installed and running on the computer assets within an organization.
Critical Control #2
“Understanding what’s installed, running, and able to run on business computers”
“Writing this, it seems as if one is standing on a great precipice overlooking a sea of software and decision-trees of risk stemming from each piece.”
One of the most fundamental value propositions of a business information system is that delivered through its software. Software can range from the most critical Enterprise Resource Planning (ERP) to the trivial utility software needed to view a PDF. Software is what delivers the value through the complex systems we call “computer networks”. The same utility that an organization derives from its software, so too can attackers. Attacks against vulnerable software can lead to system compromise and ultimately remote exploitation. Attackers are constantly launching attacks using this vector. They range from weaponized document files, to media files, to complex Internet browser-based attacks through compromised websites. Each piece of software introduces potential vulnerabilities and risks into the organization. Should poorly controlled computer systems be allowed to run unknown or unmanaged software, the risks and appropriate controls cannot be deployed and managed by the organization. Additionally, unneeded software (such as that which serves no business purpose) introduces additional risk which is often wholly unknown by those charged with safeguarding the organization’s information assets. Identifying and managing the software deployed throughout an organization is critical to its information security posture. Unneeded, malicious, and/or out-of-date (read that unpatched) software each introduce an additional vector of attack which can be used to gain a foothold into a business computer network.
Critical Control 2: Inventory and Control of Software Assets
|Sub-control||Applies to:||Security Function (intention)||Sub-control Title||Description|
|2.1||Applications||Identify||Maintain Inventory of Authorized Software||Maintain an up-to-date list of all authorized software that is required in the enterprise for any business purpose on any business system.|
|2.2||Applications||Identify||Ensure Software is supported by Vendor||Ensure that only software applications or operating systems currently supported by the software’s vendor are added to the organization’s authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.|
|2.3||Applications||Identify||Utilize Software Discovery Tools||Utilize software inventory tools throughout the organization to automate the documentation of all software on business systems.|
|2.4||Applications||Identify||Track Software Inventory Information||The software inventory system should track the name, version, publisher, and install date for all software, including operating systems authorized by the organization.|
|2.5||Applications||Identify||Integrate Software and Hardware Asset Inventories||The software inventory system should be tied into the hardware asset inventory so all devices and associated software are tracked from a single location.|
|2.6||Applications||Respond||Address unapproved software||Ensure that unauthorized software is either removed or the inventory is updated in a timely manner|
|2.7||Applications||Protect||Utilize Application Whitelisting||Utilize application whitelisting technology on all assets to ensure that only authorized software executes and all unauthorized software is blocked from executing on assets.|
|2.8||Applications||Protect||Implement Application Whitelisting of Libraries||The organization’s application whitelisting software must ensure that only authorized software libraries (such as *.dll, *.ocx, *.so, etc) are allowed to load into a system process.|
|2.9||Applications||Protect||Implement Application Whitelisting of Scripts||The organization’s application whitelisting software must ensure that only authorized, digitally signed scripts (such as *.ps1,
*.py, macros, etc) are allowed to run on a system.
|2.10||Applications||Protect||Physically or Logically segregate High Risk Applications||Physically or logically segregated systems should be used to isolate and run software that is required for business operations but incur higher risk for the organization.|
Making application: Control 2
Control 2 demands that business network administrators quantify what software is both approved to run and what is installed on all business computers. Often this is interpreted to mean the software which is installed on traditional laptop/desktop/tablets. In today’s increasingly mobile and always-connected workforce the need to control what is installed on each network-attached computer is more critical than ever. Unknown and/or unauthorized software introduces new areas of risk, the need for systems administrators to ensure consistent patching, and potential opportunities for an attacker to gain a foothold in the absence of compensating controls.
Taking into account the mobile components of a modern business is critical to meaningfully implement Control 2. We live in the era of BYOD and blended or mixed-use devices, such as personal cell phones and tablets used to check business email accounts. While these devices often sit outside the purview of an organizations’ systems administrators, they none the less connect to important business resources. If restricting access to corporate information systems by non-company-owned devices isn’t an option, then implementing strong compensating security controls could be critical to limiting attack surface and ensuring the security & privacy of business information on these devices. Examples of such controls include Mobile Device Management with device encryption requirements, Mobile Application Management, and/or mandatory data containerization policies.
Adopting Control 2 on traditional internal systems such as servers, workstations, and laptops can still be somewhat challenging. Application vendors don’t always build their software to work well inside of rights-restricted corporate networks. These same applications also often operate within “user space” to circumvent system-level restrictions implemented by corporate software policy. It is this author’s experience that a regularly reviewed multi-layer approach to software security is needed to identify and limit such activity. This is commonly realized through the use of a three layer approach; Identification (detection), Automated enforcement (policy), and Periodic human review (audit). Such an approach permits organizations to meet the needs of sub-controls 2.1-2.5. Deploying meaningful unauthorized software mitigation tools, such as Application Whitelisting or Application Execution Limitation implements all of the requirements of Control 2.
Critical Control 2 serves as the foundation of systems functionality onto which many of the additional controls are built upon. It affords system administrators the ability to know and control what software should be allowed on each network-attached device and reconcile that which is installed against this list. Furthermore, it provides a policy foundation from which an organization’s business software decisions can be based while defining a continuum of software supportability.
Who is Corporate Information Technologies (CIT):
Corporate Information Technologies provides small to mid-market organizations with expert I.T. services including Critical Control centric Managed and Co-Managed technology services, information security policy creation & assessment, cybersecurity services, penetration tests, and comprehensive business continuity planning services. Corporate Information Technologies can help organizations maximize and optimize their technology systems while identifying and mitigating cybersecurity risks presented by those very systems.
Contact us to learn more and let us show you how good I.T. can be!