SANS Top 20 Critical Control #2: Inventory of Authorized and Unauthorized Software

1 minute read Ken Kantzer on

CISOs have a tough job. They are faced with securing data across thousands of devices. They are often brought in after a bad breach and are asked to make sure “it never happens again.” Throw in ISO/IEC 27001 or PCI-DSS compliance reporting, and it can lead to an overwhelmed question: when it comes to developing a roadmap for my company’s security, where is the best to start?

The Crux of the Control

Again, the same Golden Rule principle on devices applies to software: know what you have. No user on your systems should be able to install an executable onto a company device without the approval of security. This may seem like a draconian policy (and a short-circuit process does have to be in place for certain technology-heavy teams like R&D or the dev team), but it’s necessary. Whitelists work, whereas blacklists do not.

The PKC Insight

Two key considerations here. First,for software there’s a second important maxim: outdated software, no matter how legitimate, should be treated as seriously as a malware incident. The barrier of entry to exploit a known vulnerability is so low that anything but a no-tolerance policy for unpatched software is a death wish for a CISO.

Secondly, the last post covered the necessity to have a comprehensive and automated system inventory in place, the same thing is true of software inventories, but it’s even more crucial to have an automated system in place because software receive updates incessantly: no systems administrator can keep up via manual means.

Looking ahead 3 years, whereas the growth of hardware will be mostly flat, there’s going to be a lot more software:

Gartner Forecasted HW vs SW Growth

For the CISO, this means investing more heavily in ways to keep track of a growing list of software products (not to mention web-based and mobile-based apps).

The previous article talked about the first SANS Top 20 control: Inventory of Authorized and Unauthorized Device

The next article will talk about the third SANS Top 20 control: Controlled Use of Administrative Privileges


Ken is a Founding Partner of PKC