2.6: Address Unapproved Software
Sub-control 2.6 states that you must ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
| Asset Type | Security Function | Implementation Groups |
|---|---|---|
| Applications | Respond | 1, 2, 3 |
Dependencies
- Sub-control 1.4: Maintain Detailed Asset Inventory
-
Sub-control 2.1: Maintain Inventory of Authorized Software
Inputs
- Authorized Software List: The previous list of authorized software (sub-control 2.1, I1).
-
Definition of "Resolved": An organizationally defined allowable time frame for the resolution of discovered unauthorized software. The CIS recommends this occure at least monthly.
- Software-Capable Endpoints: The list of endpoints to be checked (sub-control 1.4). This should include all the organizations devices.
-
Authorized Software List: The updated authorized software list, following the time frame defined in I2.
-
“Scanning Threshold”: The time period between scan 1 and scan 2.
Assumptions
-
For I4, the authorized software list may have been updated after a manual review of unauthorized software based on user requests, etc.
-
For I5, the scanning threshold time period is greater than the resolution time frame defined in I2.
Operations
-
For each endpoint in I3, scan the installed software present on that endpoint.
-
Perform an active credentialed scan against each device on the network. There are two plugins when conducting credentialed scans that enumerate installed software on the host.
-
For Linux: Nessus Plugin ID 22869 Software Enumeration (SSH)
- For Windows: Nessus Plugin ID 20811 Microsoft Windows Installed Software Enumeration (credentialed check)
-
-
-
Compare the installed software list for each endpoint (M1) to the authorized software list (I1) to generate the unauthorized software list for that endpoint (M2). This list is the software that is found/identified on any host that the organization does not have a license to use, or policy prohibits its installation. For example, the application and protocol analyzer Wireshark may be considered free to use, but organization policy may not authorize its installation.
-
Wait the defined “scanning threshold” period (I5) and re-scan the endpoints specified by I3.
- For each piece of software listed in M2, determine if scan from Operation 3 still shows that software as present.
-
For those that are still present, check I4 to determine if the software is now present on the updated authorized software list. Software that remains installed on the machine, but that does not appear on the updated authorized software list, is added to the unaddressed software list for that endpoint (M3).
Measures
| Measure | Definition |
|---|---|
| M1 = Installed software on a given endpoint | A list of all installed software/applications. This is derived from the scan defined in Operation 1. |
| M2 = Unauthorized software installed on a given endpoint. | A list of unauthorized software/applications. This is derived from comparing M1 to I1. |
|
M3 = Unaddressed software installed on a given endpoint, identified by follow-up scan. |
A list of any unauthorized software/applications still present on the endpoint after a follow-up scan (Operation 3) at a specified interval. |
| M4 = Count of items in M2 |
A count of the total number of items in M2. |
| M5 = Count of items in M3 | A count of the total number of items in M3. |
Metrics
Unauthorized Software (Per Endpoint)
| Metric | Calculation |
|---|---|
| Ensure unauthorized software installations are addressed. | (M4 - M5) / M4 |
Unauthorized Software (Organizational)
The organizational metric is calculated by averaging the results of the Per Endpoint metric above.