ClickCease
Jul 29, 2021

Using the New Version of CIS Control 2 to Manage Software Assets

CIS Controls thumbnail

In May 2021, the Center for Internet Security released Version 8 of its CIS Controls framework, to address the increase in types of connected devices and the impact of remote work on network security.

With the update, now is a good time to ensure that your organization’s software management is comprehensive and effective. That starts with identifying all the hardware that’s running software in your environment, to make sure you don’t miss any apps or operating systems that might make your network vulnerable.

Ransomware attacks on healthcare, fuel distribution, food production, education and transportation are on the rise, and criminals seem to be targeting industries that lag in terms of software management best practices. Unfortunately, many industries are lagging on software security. For example, 58% of healthcare and public health organizations enrolled in CISA’s vulnerability scan service “were using unsupported legacy or end-of-life software and OS” in 2020.

Comprehensive software asset management can protect your organization. CIS Control 2 guides organizations through the process of identifying, monitoring and automating management for all network software, to allow only authorized, supported software and exclude unknown programs from executing. Let’s take a closer look at what’s involved.

What’s New in CIS Controls Version 8?

CIS streamlined and reorganized the Controls for Version 8 to help organizations improve security in increasingly complex and dynamic environments. Now, there are 18 Controls instead of 20 and 153 Safeguards (previously called Sub-Controls) grouped within and across Controls by Implementation Groups (IGs).

CIS Controls Implementation Groups

Source: CIS Implementation Groups Handout

The three IGs are “based on the risk profile and resources an enterprise has available,” and they’re meant to be implemented sequentially. Every organization should start by implementing the 56 Safeguards in IG1, which address what CIS calls “basic cyber hygiene.” For small organizations without extensive cybersecurity resources and which don’t handle sensitive data, implementing IG1 may be enough to protect their operations from most of the threats they face.

Organizations with multi-department IT infrastructure and/or the cybersecurity resources to implement more Safeguards can then address IG2’s 74 recommendations. These are aimed at securing more complex environments with varying levels of risk across the enterprise.

IG3 includes 23 Safeguards designed to help organizations that handle sensitive or confidential data. The goal of these Safeguards, which require IT security expertise, is to minimize the risks that advanced cyber attacks present.

What Software Security Practices Does the New CIS Control 2 Include?

Each of the seven Safeguards in this Control adds a layer of protection for the software on your network. As with Control 1 for hardware, CIS Control 2 starts software asset management with a comprehensive and continuously maintained inventory (2.1, IG1).

The next step is making sure that authorized software is supported by the publisher (2.2, IG1), to reduce the risk of vulnerabilities that can’t be patched. For example, some e-commerce businesses still run their websites on the deprecated Magento 1 platform, which Adobe stopped supporting in June 2020 after two years of notices. More than 2,000 businesses running the unsupported software were hit with automated Magecart attacks in September 2020—an attack that involved customers’ private data and may put affected businesses at risk of GDPR fines.

With programs identified and made visible, your team can see which apps and operating systems are unauthorized and create a plan to deal with them (2.3, IG1). Unauthorized software can be anything from games and shadow IT that well-meaning employees have installed to malicious code that threatens your operations.

With those basic cyber hygiene steps taken, the next step is to integrate your software inventory tools and unify your data for more efficient software management across the enterprise (2.4, IG2). Then, using those tools to create allowlists for authorized software, libraries, scripts (2.5-2.7, IG2, IG3) can make your software controls even more efficient and free your IT team to focus on other tasks.

CIS Control 2

Source:CIS Implementation Groups Handout

The goal of these safeguards is to ensure that you know exactly what’s running on your network so you can make certain that it’s all up to date, supported, and authorized. Removing existing unauthorized software and blocking new unauthorized software are keys to preventing ransomware attacks and other network intrusions.

What Are the Hurdles Between Your Team and Full CIS Control 2 Implementation?

Invisible software. Effective control of software assets starts with identification of all devices, as described in CIS Control 1. If your existing scanning tools can’t see every device—for example, virtual machines, connected medical equipment and unagentable industrial control systems—then they won’t be able to see all of the software in your environment.

Complex environments. Wireless security cameras and sensors, networked printers, patient wearables, smart HVAC and building-management systems, OT and ICS devices and smart devices like TVs and speakers can introduce a whole new constellation of programs, operating systems, update requirements and vulnerabilities to your network.

Some of these devices will follow the same kind of vulnerability-identification and patch-release cycle that traditional computer software follows. But for some devices, the manufacturer may never publish firmware updates, even when there are known vulnerabilities. What’s more, some of the software or operating systems on these devices may be published by companies that end up on government blacklists and need to be flagged and removed from the network. In these cases, awareness of the issue is the key to effective risk management.

BYOD and remote access. Remote work and bring-your-own-device policies have helped companies adapt to changing conditions, but these practices also pose software security risks.

For example, employees may install unauthorized software on their work devices. Or they may log in from personal devices that are infected with malware that then can access your network.

The security of remote workers’ home networks can also impact the security of your enterprise network—for example, many homeowners don’t know they need to change the default passwords on connected devices like routers and smart speakers. Attackers searching online for unprotected devices can find their way in remotely using those unchanged credentials.

Phishing is another common vector for malware and ransomware attacks. For example, researchers believe the Colonial Pipeline ransomware attack started with a phishing email. And unfortunately, phishing campaigns surged with the 2020 transition to remote work and show no sign of slowing down.

The need for always-on monitoring. A lot can happen between scheduled scans. New devices and software can tap into your network, malware can make changes, and new vulnerabilities can be discovered. A solution that provides passive, continuous monitoring can show you all the software-related activity on your network in real time and log it for review.

Data silos can slow down software management and threat response. Your software management solution needs to integrate with your ITAM and other security management solutions to get software data out of silos and unify it for easier automation and review.

With so many challenges to getting software asset management right, let’s look at what it takes.

What Does Proper CIS Control 2 Implementation Look Like?

To implement CIS Control 2 effectively, you first have to put Control 1 safeguards in place, especially the requirements to actively and passively identify all devices that operate on your network. The Armis Agentless Device Security Platform automates discovery, identification and documentation of every device—agented, unagented, virtual, and transient—without the risk of device disruption that legacy network scans can cause.

The Armis Platform then automatically discovers and documents all software operating on the network (2.1) and analyzes all programs and operating systems for required updates, known vulnerabilities, publisher support status (2.2) and authorization status (2.3) within the organization.

The Armis Platform also integrates with your asset-management database, network scanners, and host and patch-management solutions (2.4) to pull their data out of silos so it’s easier for your IT and security teams to address software-related vulnerabilities and risks. The platform also prevents installation or execution of unauthorized programs and helps IT managers develop enterprise-wide whitelists and blacklists for software, libraries and scripts (2.5-2.7).

With all CIS 2 Safeguards enabled, your organization is better protected from software-related security problems and has more of the information you need to prioritize your IT team’s security responses.

Implement CIS Controls Version 8 better With Total Software Visibility

The risks of unauthorized, unpatched and unsupported software are serious, and the stakes are rising as ransomware attack rates continue to climb. Now’s the time to adopt a comprehensive, automated solution that identifies every program on every device, tracks version migration, monitors all software changes, and unifies software data from your IT and security management solutions so you can see what’s supposed to be on your network, keep it up to date, and keep unauthorized programs out.

Learn more about implementing Control 2 and the other CIS Controls with Armis. Get your copy of the CIS Controls white paper.

Get Updates

Sign up to receive the latest from Armis.