monitor for unauthorized software.
Vis/Attrib: Ensure software inventory monitoring tools are operational by periodically installing several software updates and new packages on hardened control machines in the network and measure the delay before the software inventory indicates the changes. Such updates should be chosen for the control machines so that they do not negatively impact production systems on the network. Also measure the organization’s response activities to unauthorized software installed in the environment.
Config/Hygiene: A policy is also required to force all drivers to be digitally signed and the organization should configure systems to block the loading of drivers that are not signed by a trusted software vendor. Both Windows Vista and Windows XP include configuration options that can enforce driver signing across an organization. Strictly loading only signed drivers is a crucial step toward blocking intruders’ control of systems via rootkits that modify the core of the operating system to wield control.
Procedures and tools for implementing and automating this control:
Commercial software and asset inventory tools are widely available and in use in many enterprises today. The best of these tools provide an inventory check of hundreds of common applications used in enterprises on Microsoft Windows and other machines, pulling information about the patch level of each installed program to ensure that it is the latest version and leveraging the standardized application names in CPE.
Features that implement white and black lists of programs allowed to run or blocked from executing are included in modern end-point security suites. Moreover, commercial solutions are increasingly bundling together anti-virus, anti-spyware, personal firewall, and host-based Intrusion Detection Systems and Intrusion Prevention Systems (IDS and IPS). In particular, most endpoint security solutions can look at the name, file system location, and/or MD5 hash of a given executable to determine whether the application should be allowed to run on the protected machine. The most effective of these tools offer custom whitelists and blacklists based on executable path, hash, or regular expression matching. Some even include a graylist function that allows administrators to define rules for execution of specific programs only by certain users and at certain times of day and blacklists based on specific signatures.
Once software inventory and execution control products are deployed, they can be evaluated by attempting to run a black listed program or a program that is not on the