Critical Control 2: Inventory of Software

Critical Control 2: Inventory of Authorized and Unauthorized Software
While we are starting to see some research being done on hardware level attacks (i.e. BIOS level viruses have been proven to be a viable concept), most exploitation of systems revolve around finding vulnerabilities in the software. Any time a piece of software is installed, from a patch to an entirely new application, there is always the possibility that it creates a point of entry for the attacker. Therefore it is critical to carefully inventory all software that is running on a computer system, validate its integrity and any time there is a change, it must go through the change control board and be properly tested.
This is a control that you can easily get the CIO’s buy-in and support. One of the main priorities of a CIO is system availability and uptime of the core processes that support the business. Any time changes are made to the software that could impact the ability of the system to function, the CIO becomes very concerned. Computer systems are so critical to an enterprise that they should be thought of like airplanes. In the airline industry they are passionate about proactive maintenance and predictable failure of components. We need to treat our critical systems the same way. The only way to be able to control and manage failures is by carefully knowing and controlling the software that (continue reading...)