In Here Comes InTREx, we discussed the “triangle” of asset management, patch management, and vulnerability management and how these processes are interdependent. A strong asset management program is a critical factor to ensure all of your assets (hardware, software, applications, etc.) are identified, managed, and being properly patched and scanned. While financial institutions have strengthened their programs to account for hardware components and the Internet of Things (IoT), improvements in software management best practices have been slower to develop. Building an effective software management program is crucial to ensuring that only authorized software is in use in your production environment and that software is replaced or updated before its end of life (EOL).
Here are 3 steps you can follow to build an effective software management program to protect your institution from the risks of outdated and unauthorized software:
#1 Develop a Complete and Accurate Software Inventory
Your first step to building a software management program is to develop a complete and accurate inventory of your institution’s software. You can do this by using an automated solution that scans network assets for installed software, or through a manual process. In developing your inventory, you should track information including, but not limited to:
- Software Name
- Software Vendor Name
- Version Information
- Number of Instances (i.e. how many assets have the software installed)
- Software Owner/Administrator
Additionally, you should track the IP addresses or computer names of the assets that have the software installed. Once a baseline inventory is developed, implement a process to ensure your inventory is reviewed and updated as software changes are made in order to track potentially outdated computer software. At a minimum, the inventory should be reviewed for appropriateness on an annual basis.
#2 Track End of Life and Licenses in Use
The next step in developing your program is to determine if the software in use is current and not violating any licensing agreements. For some software (e.g. Microsoft Office, Adobe Reader, etc.), your institution may have purchased a defined number of software licenses. To ensure you’re maintaining compliance with licensing agreements, perform regular self-audits to compare the number of licenses used against the number of licenses purchased. If the number of licenses in use exceeds the number purchased, work with your software vendors to purchase additional licenses. In addition to maintaining compliance with licensing agreements, these self-audits will provide your management with more clarity on the costs of licensing, which can improve the accuracy of budgeting for software expenses.
Another important step is to assess the software versions in use and identify their EOL dates. At the EOL date, a vendor may stop supporting their software. This means security patches may no longer be issued and the vendor may not be required to assist for troubleshooting. By tracking EOL dates in the software inventory, you can regularly generate and review reports to assess which software is approaching its EOL. Doing this will allow you to proactively take corrective actions by either migrating to a new supported software or upgrading your current software to a supported version. Software that cannot be replaced prior to its EOL date should be presented to an appropriate risk committee for review and risk acceptance. In your presentation, consider detailing the business use of the software, why the software cannot be replaced prior to the EOL, the risks associated with continuing to use the software, controls in place to mitigate the continued use of the software, and your plan of action.
#3 Restrict Unauthorized Software
The final and most important step is to ensure your institution has implemented adequate controls to prevent the introduction of unauthorized software. Most institutions have achieved this by removing local administrator rights from end user workstations and requiring users to submit a request to install new software. This allows IT personnel to assess the risks, costs, and controls of the software so they can prevent a weakness from being introduced to the environment. Additionally, a new type of technology to consider in the fight against unauthorized software is application whitelisting.
Application whitelisting solutions allow institutions to dictate an inventory of allowed software and applications that can be present and active on their network assets. If someone attempts to download or open a software that is not whitelisted, the whitelisting solution will block the software. Application whitelisting offers additional benefits over the removal of local administrator rights, as the solution can essentially act as an additional antivirus by blocking the execution of malicious codes and zero-day threats that do not require local administrator rights. These solutions provide an additional defensive layer against risks of unauthorized software such as phishing, employees clicking malicious webpage links, and the connection of unauthorized mobile devices to network assets. While application whitelisting offers many benefits, there are currently only a few solution options in this space and their costs can be inhibitive. Institutions should monitor the development of this technology and periodically assess if they should further pursue such a solution as the risk environment changes.
Once all of these items are in place, it is critical that your institution fully documents its software management program and regularly monitors the effectiveness of the program to ensure your implemented controls are properly mitigating outdated software threats and unauthorized software risks.