02 - INVENTORY AND CONTROL OF SOFTWARE ASSETS
Safeguards Total 7 IG1 3/7 IG2 6/7 IG3
Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
Why Is This CIS Control Critical?
 THE SAFEGUARDS
2.1 Establish and Maintain a Software Inventory
Applications Identify
2.2 Ensure Authorized Software is Currently Supported
Applications Identify 2.3 Address
Unauthorized Software
Applications Respond
2.4 Utilize Automated Software Inventory Tools
Applications Detect
2.5 Allow list Authorized
Software
Applications Protect
2.6 Allow-list Authorized
Libraries
Applications Protect
2.7 Allow-list Authorized
Scripts
Applications Protect
        12345
Asset Type Security Function
1= Asset Type 4= Implentation Group 2 2= Security Function 5= Implentation Group 3 3= Implentation Group 1
    A complete software inventory is a critical foundation for preventing attacks. Attackers continuously scan target enterprises looking for vulnerable versions of software that can be remotely exploited. For example, if a user opens a malicious website or attachment with a vulnerable browser, an attacker can often install back door programs and bots that give the attacker long-term control of the system. Attackers can also use this access to move laterally through the network. One of the key defenses against these attacks is updating and patching software. However, without a complete inventory of software assets, an enterprise cannot determine if they have vulnerable software, or if there are potential licensing violations.
Even if a patch is not yet available, a complete software inventory list allows an enterprise to guard against known attacks until the patch is released.
Some sophisticated attackers use “zero-day exploits,” which take advantage of previously unknown
vulnerabilities that have yet to have a patch released from the software vendor. Depending on the severity of the exploit, an enterprise can implement temporary mitigation measures to guard against attacks until the patch is released. Management of software assets is also important to identify unnecessary security risks. An enterprise should review its software inventory to identify any enterprise assets running software that is not needed for business purposes. For example, an enterprise asset may come installed with default software that creates a potential security risk and provides no benefit to the enterprise. It is critical to inventory, understand, assess, and manage all software connected to an enterprise’s infrastructure.
7/7
  Introduction | Threats | NIST Security | Framework | CIS Controls | NSA Risk Levels | The Controls | How We Can Help
Did You Know?
56% verify asset location only once a year, while 10-15% verify only every five years. Regular asset & inventory maintenance is crucial to keeping accurate records. We can help you with your Software Inventory and Control Management.
CONTROL 02