2.2: Ensure Software is Supported by Vendor

Sub-control 2.2 states that you must ensure that only software applications or operating systems currently supported and receiving vendor updates are added to the organization’s authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.

Asset Type Security Function Implementation Groups
Applications Identify 1, 2, 3

Dependencies

  • Sub-control 2.1: Maintain Inventory of Authorized Software

Inputs

  1. Authorized Software List: An authorized software list with a notation of “supported” or “unsupported” for each entry (sub-control 2.1). This can be pulled from sub-control 2.1, I1, however, each piece of software must then be marked as "supported" or "unsupported".

  2. Authoritative Source of Information: Access to an authoritative source of information indicating supported/unsupported details per product.

    1. There are many active and passive scanning options for the identification of applications and identification of unsupported applications. For example, selected Plugin Families along with a Vulnerability Text of ‘unsupported” can be used to identify detected unsupported applications and operating systems.

    2. There are also hundreds of plugins available that provide detailed information on unsupported applications. For example, plugin 33850 Unix Operating System Unsupported Version Detection returns the following plugin output when triggered:

    3. Common Platform Enumeration (CPE) Strings can also be used, and are a common method for the identification of specific applications. For example, if Apache Tomcat is an authorized application, you can use the CPE string to retrieve information for that specific application. As shown below, Apache Tomcat is displayed in the fourth row of CPE strings.

    4. Nessus displays installed software during Authenticated Scans if the following plugins are enabled:

      • For Linux: Nessus Plugin ID 22869 Software Enumeration (SSH)

      • For Windows: Nessus Plugin ID 20811 Microsoft Windows Installed Software Enumeration (credentialed check)

      • For MacOS: Nessus Plugin ID 83991 List Installed Mac OS X Software

Operations

  1. For each entry in I1, perform a lookup in I2 to verify:

    1. Using the organizations list of known approved software I1, compare the list of software that has been found to exist within the organization I2 using active and passive detection and the methods outlined above for each of the following operations.

  2. For each entry in I1 labeled “supported”, perform a lookup in I2.

    1. From these lookups, note the list of authorized software labeled “supported” but that is actually not supported based on the authoritative source lookup.

  3. For each entry in I1 labeled “unsupported”, perform a lookup in I2.

    1. From these lookups, note the list of authorized software labeled “unsupported” but that is actually supported based on the authoritative source lookup.

Measures

Measure Definition
M1 = List of items in the authorized software list that are unsupported A combination of Operation 1 and those initially marked as unsupported in I1, resulting in a complete list of unsupported applications.

M2 = Count of items in M1

 A count of the total number of items in M1.

M3 = List of authorized software

A full list of the applications the organization is authorized to have.
M4 = Count of items in M3

A count of the total number of items in M3.

M5 = List of items in the authorized software list that are mislabeled as supported A list of applications that the organization believes to be supported, but are actually found to be unsupported.
M6 = Count of items in M5 A count of the total number of items in M5.
M7 = List of items in the authorized software list that are mislabeled as unsupported
  • A list of applications that are believed to be unsupported but that are actually supported.
    		•
    M8 = Count of items in M7 A count of the total number of items in M7.

    Metrics

    Percentage of Unsupported Software in Use

    Metric Calculation
    The percentage of authorized software in use is that is unsupported. (M4 - M2) / M4

    Rate of False Positives

    Metric Calculation
    The percentage of software listed as supported that is actually unsupported. (M4 - M5) / M4

    Percentage of Unsupported Software in Use

    Metric Calculation
    The percentage of software listed as unsupported that is actually supported. (M4 - M8) / M4