CIS Control 02: Inventory and Control of Software Assets

Posted on February 12, 2025
CIS Controls v8

Today, I will be going over Control 2 from version 8.1 of the top 18 CIS Controls – Inventory and Control of Software Assets. I will go over the seven safeguards and offer my thoughts on what I’ve found.

Key Takeaways for Control 2

  • Reusability. The tools that were mentioned in Control 1 will be used in Control 2 as well. Reusing tools that accomplish goals for both Controls 1 and 2 can help cut costs and will help you gain familiarity and knowledge of the extent of the tools capabilities.
  • Establish a secure baseline. Establishing a baseline of installed software enables an organization to respond to active threats, avoid license violations, and identify unnecessary security risks. Commercial software inventory and vulnerability scanning tools can assist in this process.
  • Enforce with allowlist. Many options exist for defining precise allowlist to govern what software, libraries, or scripts may execute on a system. A strong policy can impede attackers attempting to gain elevated access to a system.

Safeguards for Control 2

2.1) Establish and Maintain a Software Inventory

Description: Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the software inventory bi-annually or more frequently.

Notes: The security function associated with this safeguard is Identify. This safeguard is supported by safeguard 2.4 regarding automated software inventory. Automated tools can greatly help developing, and maintaining the software inventory required by this safeguard. Have a document or database ready for frequent updating to ensure you have the latest versions for software. Maintaining current software is critical as updates often resolve security problems.

2.2) Ensure Authorized Software is Currently Supported

Description: Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If the software is unsupported yet necessary for the fulfillment of the enterprise’s mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate it as unauthorized. Review the software list to verify software support at least monthly or more frequently.

Notes: The security function associated with this safeguard is Identify. Running unsupported software is a huge risk because of the increased risk that attackers will become able to exploit the software. If an unsupported software package is necessary for the enterprise, an exception must be requested to determine whether the risk can be accepted.  

2.3) Address Unauthorized Software

Description: Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly or more frequently.

Notes: The security function associated with this safeguard is Respond. Leaving unauthorized software on an asset exposes the enterprise to unmanaged risk. The inventory produced by safeguard 2.1 should be compared against the active network on at least a monthly basis. It is critical to remove or quarantine any software that has been flagged. 

2.4) Utilize Automated Software Inventory Tools

Description: Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of installed software.

Notes: The security function associated with this safeguard is Detect. Manually cataloging assets and software inventory can be a tedious task. It is time-consuming and can be riddled with user error. Selecting an automated solution is a must. Tripwire offers an automated tool, Tripwire IP360, which can scan the environments for new software and drive populating your inventory databases.

2.5) Allowlist Authorized Software

Description: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually or more frequently.

Notes: The security function associated with this safeguard is Protect. As in version 7, this is one of the most important safeguards to implement. Having the ability to allowlist software will help prevent unauthorized software from being installed on your organization’s assets. It is important to note the distinction here between a blocklist and an allowlist.

Blocklists prevent specific undesirable programs from executing while allowlisting limits execution when something has been explicitly permitted to run.

Allowlist can be defined on a range of attributes including file name/path/size or a known cryptographic has or signature. Enabling an allowlist of software will start the baseline for your scanning and allow you to have better insight for locating and isolating unauthorized software.

2.6) Allowlist Authorized Libraries

Description: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually or more frequently

Notes: The security function associated with this safeguard is Protect. Like safeguard 2.5, this safeguard plays on the same concept of allowlisting authorized software libraries. While some tools, like Applocker, are freely available, capability limits may push enterprises toward paid commercial software. 

2.7) Allowlist Authorized Scripts

Description: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually or more frequently

Notes: The security function associated with this safeguard is Protect. Script interpreters are often needed for standard software installations and administrative tasks, but it can present a large security gap for an attacker. Creating an allowlist of authorized scripts restricts what an attacker can do on a compromised system. System admins have the added ability to define which users are able to run these scripts. 

Read more about the 18 CIS Controls here:

CIS Control 1: Inventory and Control of Enterprise Assets

CIS Control 2: Inventory and Control of Software Assets

CIS Control 3: Data Protection

CIS Control 4: Secure Configuration of Enterprise Assets and Software

CIS Control 5: Account Management

CIS Control 6: Access Control Management

CIS Control 7: Continuous Vulnerability Management

CIS Control 8: Audit Log Management

CIS Control 9: Email and Web Browser Protections

CIS Control 10: Malware Defenses

CIS Control 11: Data Recovery

CIS Control 12: Network Infrastructure Management

CIS Control 13: Network Monitoring and Defense

CIS Control 14: Security Awareness and Skill Training

CIS Control 15: Service Provider Management

CIS Control 16: Application Software Security

CIS Control 17: Incident Response Management

CIS Control 18: Penetration Testing

Get Foundational Security with the CIS Controls Monitoring

Use CIS Controls to establish solid protection against the most common attacks and use Tripwire to provide coverage for the controls.
 

Learn More
Related Solutions
Cybersecurity Compliance CIS Controls
Related Content
Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!