CIS CSC #2 – Inventory and Control of Software Assets

I am working on a series of posts related to the Center for Internet Security (CIS) Critical Security Controls (CSCs). See the full listing here.

Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

This control includes ten (10) sub controls. For those of you reviewing the CIS Controls with the Implementation Groups in mind, there are three (3) IG1 controls and five (5) IG2 controls. This means that, at a minimum, we want to:

  • Maintain an up-to-date list of all authorized software that is required in the enterprise for any business purpose on any business system.
  • Ensure that only software applications or operating systems currently supported and receiving vendor updates are added to the organization’s authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.
  • Ensure that unauthorized software is either removed or the inventory is updated in a timely manner

Great! We’ve got a solid process in place to identify all the physical assets on our network – now we need to understand what is running on each of those devices. The the most basic level, we want to have a list of each software install on each device. This inventory needs to also include the version information, so that we can monitor for, and apply, patches and upgrades. Finally we need to implement a process to remove any unauthorized software once it is detected.

There are several ways to pull this information, but running the following command will pull the following attributes by default (including many others):

  • Name
  • Caption
  • Vendor
  • Version
# Create a quick CSV file that lists out installed software

Get-CimInstance -ClassName Win32_Product | Export-Csv \Path\to\folder\

If you’re comfortable working with objects within PowerShell, you’ll likely want to perform the comparisons directly in the console. If that is not your cup of tea, working with a CSV makes sorting and comparing in a tool like Excel much easier.

Related News Stories

Relevant Tools

CommercialOpen-Source & “Freemium”
VMware Carbon Black App ControlMS AppLocker
Ivanti Endpoint SecuritySpiceworks
MS System CenterWMIC
NEWT Professional (Komodo)PowerShell – Get-WMIObject / Get-CIMInstance
Tripewire EnterpriseLynis
LANSweeper

The CIS Controls are in version 7.1 at the time of this writing. For more information on this control check out the CIS Control #2 page here.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s