Today, I will be going over CIS Control 2 from version 8 of the top 18 CIS Controls – Inventory and Control of Software Assets. Version 7 of CIS Controls had 10 requirements, but in version 8, it’s simplified down to seven safeguards. I will go over those safeguards and offer my thoughts on what I’ve found.

Key Takeaways for Control 2

  • Reusability. The tools that were mentioned in CIS Control 1 will also be used in CIS Control 2. Reusing tools that accomplish goals for both Controls 1 and 2 can help cut costs as well as help you gain familiarity and knowledge of the extent of the tools’ capabilities.
  • Establish a secure baseline. Establishing a baseline of installed software enables an organization to respond to active threats, avoid license violations, and identify unnecessary security risks. Commercial software inventory and vulnerability scanning tools can assist in this process.
  • Enforce with allowlist. Many options exist for defining precise allowlist to govern what software, libraries, or scripts may execute on a system. A strong policy can impede attackers who might be attempting to gain elevated access to a system.

Safeguards for Control 2

2.1) Establish and Maintain a Software Inventory

Description: Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry. Where appropriate, it must also include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. It’s important to review and update the software inventory bi-annually or more frequently.

Notes: This safeguard is supported by safeguard 2.4 regarding automated software inventory. Automated tools can greatly help with developing and maintaining the software inventory, as required by this safeguard. Have a document or database ready (Read more...)