SANS Critical Control 2: Inventory of Authorized and Unauthorized Software
- Jun 20, 2013
- Michaelangelo Sidagni
Yesterday, I published the first blog post on mapping SANS 20 critical security controls to Unified VRM. The post dealt with the Control 1 – Inventory of authorized and unauthorized devices – https://www.sans.org/critical-security-controls. You can find the blog post here – Achieving SANS 20 Critical Security Controls with Unified VRM.
In today’s blog post I will address how Unified VRM could be used to implement the SANS Critical Control 2 – Inventory of Authorized and Unauthorized Software – https://www.sans.org/critical-security-controls/control/2.
Most of targeted attacks to enterprises are carried out using a combination of social engineering, phishing emails and software vulnerabilities – Java, Adobe Flash and Acrobat, Firefox and Chrome plugins, 0-day client-side / browser vulnerabilities. These attacks are particularly insidious to prevent because of the proliferation of authorized and authorized software and software versions in the enterprise, some which remain vulnerable to this day.
With Control 2 SANS suggests to:
“Perform regular scanning for unauthorized software and generate alerts when it is discovered on a system. A strict change-control process should also be implemented to control any changes or installation of software to any systems on the network.”
“Devise a list of authorized software that is required in the enterprise for each type of system, including servers, workstations, and laptops of various kinds and uses. This list should be monitored by file integrity checking tools to validate that the authorized software has not been modified.”
Obviously, mapping all authorized and unauthorized software across the enterprise servers and workstations can represent a daunting challenge.
1. Performing an authenticated scan of the entire enterprise by building a customized scan template selecting the check “CPE-based inventory”. This scan template will log into every target host – providing appropriate domain admin credentials – and it will list all the software and related versions installed in the host. This task can be performed using Unified VRM internal security assessment module. This will create a list of all installed software and related versions in all target network hosts.
2. Unified VRM implements also the concept of CPE-based policy check. This can be implemented within the Unified VRM Configuration Review module. A configuration template can be implemented to match the enterprise authorized software policies listing all authorized software and related versions. This list is implemented into a CPE-based policy. Through a configuration scan targeting all the hosts in an enterprise unauthorized softwares and version will be flagged as policy violations. These exceptions can be then analyzed and remediated via Unified VRM social remediation capabilities.
Unified VRM being CPE compliant is able to natively recognize every software installed in target hosts and compare it with an policy-based authorized software list to determine which softwares and versions are installed in violation to the policy.