9 hours 54 minutes
Hey, everyone, welcome back to the course. So in the last video, we wrapped up our lab and again we were just running a skin with end Matt. More specifically, the gooey version, which is called Zen map.
In this video, we're gonna take a look at control number two, which is inventory and control of software assets.
Now, one thing to keep in mind is, if you don't remember the groups from our very first controls, if you don't remember groups one through three and what those are,
then you want to make sure you pause this video, go back to their that video and just get a quick refresher in lesson 2.1.
So in this video, we're gonna talk about CIA's control number two as well as a sub controls associated with that. And then in the next video, we'll talk about how that maps to CSF.
So we're talking about inventory in control of software assets. So when we think of that, we're thinking of vulnerabilities in the software, right? So things like the O. A s top 10 list and other vulnerabilities
as well as Attackers using like zero days, right?
So the goal whole goal here is to help protect our software a little better. But if we don't know what that saw for is if we don't actually know what's running, then how can we protect it? Right,
So that's where some control.
Uh, excuse me. That's where control Number two comes in.
So let's talk through the various sub controls associated with control number two. So some control 2.1 is talking about maintaining an inventory of authorized software, Right? So just make sure making sure that we have an up to date list of all the suffer that's authorized by us to run on our enterprise systems
as well as we want to understand. What's the purpose of this software, right? Why is it running and why do we actually need it? Because there might be software that we don't actually need for our company, that we could take off our network
Some control 2.2, ensuring the software supported by vendors, right.
So as an example, I worked for a health care company and one of the clinical systems they had one of the software systems they had was extremely old. In fact, I think it was from 19.
I want to say it was 1998 or something like that. They were still using it, unfortunately, and the reason for that is because the vendor that provided it went out of business. So there wasn't any maintenance for the software. There wasn't it weren't any patches or anything, no updates. And it actually wouldn't work appropriately when the company tried to migrate to the cloud. So that delayed
their cloud migration by a year until they found a different solution. So
again, just making sure that the software is supported by the vendor and and understanding what happens if that vendor goes out of business. Or they pass on the torch, so to speak. Or are you just on your own?
Some control? 2.3. Talking about utilizing software inventory tools Because realistically, we can't physically go around to every single machine on our network and see what's running on it, right? So, using the power of tools to automate that process
some control. 2.4
Tracking software inventory information So
it should be talking, tracking information about software. So things like the name, the version who publish it and what day was it installed etcetera.
So control 2.5 software inventory. I sees me the integrate software harbor acid inventory. So basically, the the
software should be tied to the hardware acid inventory. So that way, all the devices and all associated software with those are tracked from a single location. So you don't wanna have to go look at this system over here to find out what software you have on then this system over here to look at the hardware assets, Just have it in one centralized location,
address unapproved software. So some control 2.6. So really, just making sure that if we find something that's not approved for use that we were either remove it
and then update the inventory to reflect that. Hey, we've removed that unauthorized software
utilizing application White listing sub control 2.7. So just making sure that Onley authorized software is executing on our systems, and then any unauthorised software is blocked.
Implement application, White listing of library. So here we're talking about the organization's application white listing that ensures only authorized software library. So things like dll OSI x dot eso, etcetera etcetera are allowed to load in the system processes
implement application of white listing of script So again, we're talking about allowing only authorized digitally signed scripts to run on our systems.
And then finally, some control 2.10 so physically or logically, logically segregating our high risk applications.
So just using that isolation running sandboxes, etcetera, Uh,
and making sure that if it's a system or application that's got higher risk for the organization, we want to segment that out. So it's more difficult for an attacker to get access to.
So in this video, what has talked about CIA's control? Number two.
In the next video, we're gonna talk about how that maps up to the cybersecurity framework.