NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge
More Menu Less Menu
Schedule a Demo
Security Team Intelligence

SANS Critical Control 2: Inventory of Authorized and Unauthorized Software

Yesterday, I published the first blog post on mapping SANS 20 critical security controls to Unified VRM. The post dealt with the Control 1 – Inventory of authorized and unauthorized devices – https://www.sans.org/critical-security-controls. You can find the blog post here – Achieving SANS 20 Critical Security Controls with Unified VRM.

In today’s blog post I will address how Unified VRM could be used to implement the SANS Critical Control 2 – Inventory of Authorized and Unauthorized Software – https://www.sans.org/critical-security-controls/control/2.

Most of targeted attacks to enterprises are carried out using a combination of social engineering, phishing emails and software vulnerabilities – Java, Adobe Flash and Acrobat, Firefox and Chrome plugins, 0-day client-side / browser vulnerabilities. These attacks are particularly insidious to prevent because of the proliferation of authorized and authorized software and software versions in the enterprise, some which remain vulnerable to this day.

With Control 2 SANS suggests to:

Perform regular scanning for unauthorized software and generate alerts when it is discovered on a system. A strict change-control process should also be implemented to control any changes or installation of software to any systems on the network.”

and to:

Devise a list of authorized software that is required in the enterprise for each type of system, including servers, workstations, and laptops of various kinds and uses. This list should be monitored by file integrity checking tools to validate that the authorized software has not been modified.”

 

Obviously, mapping all authorized and unauthorized software across the enterprise servers and workstations can represent a daunting challenge.

Unified VRM can help in several ways:

1. Performing an authenticated scan of the entire enterprise by building a customized scan template selecting the check “CPE-based inventory”.  This scan template will log into every target host – providing appropriate domain admin credentials – and it will list all the software and related versions installed in the host. This task can be performed using Unified VRM internal security assessment module. This will create a list of all installed software and related versions in all target network hosts.

2. Unified VRM implements also the concept of CPE-based policy check. This can be implemented within the Unified VRM Configuration Review module. A configuration template can be implemented to match the enterprise authorized software policies listing all authorized software and related versions. This list is implemented into a CPE-based policy. Through a configuration scan targeting all the hosts in an enterprise unauthorized softwares and version will be flagged as policy violations. These exceptions can be then analyzed and remediated via Unified VRM social remediation capabilities.

Unified VRM being CPE compliant is able to natively recognize every software installed in target hosts and compare it with an policy-based authorized software list to determine which softwares and versions are installed in violation to the policy.

Categories
Category
Tags
Verizon 2020 DBIR Report, Vulnerability management
Read Next

Schedule a Product Demo Today!

See how NopSec's security insights and cyber threat exposure management platform can organize your security chaos.