Critical Control 2: Inventory of authorized and unauthorized software; enforcement of white lists of authorized software.
How do attackers exploit the lack of this control?
Computer attackers deploy systems that continuously scan address spaces of target organizations looking for vulnerable versions of software that can be remotely exploited. Sophisticated attackers may use “zero-day” exploits – which take advantage of vulnerabilities for which no patch has yet been released by the software vendor. Those that do not enforce white lists of authorized applications make their systems more vulnerable. Such machines are more likely to be running software that is unneeded for business purposes, introducing security flaws. Furthermore, machines without white lists of authorized applications provide an easier target for attackers to exploit to run their own unauthorized software. Once a single machine is exploited, the attackers use it as a staging point for collecting sensitive information from the compromised system and from other systems connected to it. In addition, compromised machines are used as a launching point for movement throughout the network and partnering networks. One compromised machine can turn into many. Organizations that do not have complete software inventories are unable to find systems running software likely to have been compromised by exploits, because they do not know which systems are running what software.
How can this control be implemented, automated, and its effectiveness measured?
Vis/Attrib: Deploy software inventory tools throughout the organization covering each of the operating system types in use, including desktop, server, and network devices. The software inventory system should track the version of the underlying operating system as well as the applications installed on it. Furthermore, the tool should record not only the type of software installed on each system, but also its version number and patch level. The tool should also