As we continue our NIST series, I am going to take a moment and discuss inventory and control of software assets in the IDENTIFY / RESPOND category
There are a number of practical ways to better control our software inventory.
If you are a Google Apps/Chromebook district, leveraging the Google Apps Admin console is a good way to keep tight controls on Chrome Extensions and other apps. Google has been on a mission to rid their platform of malicious or deceiving apps. You should do the same. Your users shouldn't be able to install anything you haven't approved.
In the Windows world it has always been more of the wild west. To maintain control we need to start with the basics:
- Only have limited users
- Block Add/Remove Programs
- Implement our old school "blacklists" and "whitelists" via Group Policy to keep your users doing what you want them to do.
- Implement software hashes and application certificates via Microsoft AppLocker to further lock down software to only what you want.
- Implement a third-party application patching tool to patch your major applications to your vendor's recommended levels.
- Setup Compliance Management reports in Microsoft Endpoint Configuration Manager (aka SCCM).
- Deploy approved applications with an approved self-service tool found in many of the client endpoint management systems.
- Deploy Software Metering in Microsoft Endpoint Configuration Manager.
Ensuring software is supported goes beyond patch levels. It is a very precarious place to be when your are running End of Support/End of Life products in a production environment.
Most notable examples are:
- VMware ESX hosts
- Microsoft Windows OS
We have seen time and time again district's neglect keeping current on foundational items "because it just works". Then something bad happens and the vendor won't assist in the recovery or charges exorbitant rates.
On a more practical note, I will close by reminding you that Adobe Flash becomes an End of Life product on December 31, 2020. There is a wholesale effort to automatically purge/block Flash from devices by web browsers and Microsoft upon its discontinuance. If you don't know the effect of not having Flash on your endpoints yet, you need to immediately test your applications and see what happens.
If you need help implementing any of these recommendations, please let us know.