The increased prevalence of cyber-security breaches underscores just how vulnerable enterprises are to malware and hackers. The risks associated with these incidents are now widely known, and CEOs are looking closely at the measures their IT and security teams are taking to fend off potentially catastrophic intrusions. But are they doing enough?
Today, many organisations are building security fortresses that incorporate people, processes and technology to defend against cybersecurity threats. While these fortresses are extremely sophisticated at remaining one-step ahead of threats – it may come as a surprise that they are actually being built on ‘quicksand’. What follows are some key considerations IT Managers and the C-Level should make around getting the security foundation right from the outset.
The Security Foundation: Know the Hardware & Software on Your Network
In 2008, the SANS Institute led a consortium of US and international agencies and security experts to create a prioritised list of security controls that would have the greatest impact in improving organisation’s risk posture against real-world threats. The first of the prioritised Critical Security Controls identified by SANS focuses on the organisation’s ability to actively manage hardware devices on the network so that only authorised devices are given access. This control is critical because attackers are continuously scanning and waiting for unprotected systems to be attached to the network. They’re also looking for devices that come and go off the network that can become out of sync with patches or security updates.
The second control focuses on the inventory of authorised and unauthorised software. Organisations must actively manage all software on the network so that only authorised software is installed. This is critical because, according to SANS, attackers continuously scan and target organisations looking for vulnerable versions of software that can be remotely exploited. Once a single machine has been exploited, attackers can use it as a staging point for collecting sensitive and information from others connected to it.
SANS explains that organisations that don’t have complete software inventories cannot easily find systems running vulnerable or malicious software to mitigate problems or defend against attackers. Therefore, an organisation’s ability to effectively inventory their IT assets to identify authorised versus unauthorised hardware and software serves as the very foundation for the other cybersecurity defenses. This was also the conclusion of a recent BSA/IDC report: Unlicensed Software and Cybersecurity Threats which outlined that the more unlicensed software running on an organisation’s network, the greater the malware risk.
The problem: Most Organisations Can’t Inventory Their Software
The ease with which unlicensed or unauthorised software can find its way onto company systems is staggering. The reality is, most organisations don’t have adequate software inventory capabilities in place – threatening the foundation upon which they are building their cybersecurity defences.
According to a Flexera Software2013-14 Key Trends in Software Pricing & Licensing Report, only 36% of the report’s survey respondents said that they use automated commercial software to manage their software estates. 25% of respondents said they were managing software licenses using manual methods, such as spreadsheets, while 9% are using home grown systems. 18% are using tracking tools provided by their vendors, and 7% are simply not tracking their software licenses at all. There are many reasons why inventorying IT assets is such a complex and difficult task. For instance, with respect to desktop applications, different data sources on a device can be used to identify software applications. These data sources can include:
- Software Packaging data: On Windows devices, packaging data provides a very accurate list of software applications installed on the computer. In some instances, additional data may be required to clearly identify the software applications, such as finding the edition installed.
- File data: On the Windows platform, the file header provides information that can also be used to identify an application.
- Registry information on Windows devices: For instance, the Operating System description, version and edition can be found in the Windows registry.
- ISO tag files: The International Standardisation Organisation is the best and most accurate way to identify a local software product on a device. It is supposed to provide the name, version and edition of the software product installed, as sold by the publisher.
While several tools exist and are capable of performing inventory tracking; the key issue is maintaining the accuracy of the inventory. New hardware machines are installed and old ones retired every single day, software products are installed, upgraded or removed on a regular basis. For virtual environments, the difficulty lies in identifying all endpoint devices using the virtual machine and metering usage on applications running in the virtual desktop. In a hybrid environment like this, desktop inventory cannot rely solely on traditional configuration management or dedicated inventory tools. What’s needed is a combination of inventory tools and adapters to virtualisation and cloud technology frameworks to gather data and merge it in a single IT asset management repository for consumption by a Software License Optimisation tool.
While most organisations have multiple sources of software and hardware inventory data, they usually do not have a means to consolidate that data from across all their systems into what authorised versus unauthorised systems are running on the corporate network. It is this lack of management-level insight that renders the very foundation of their cybersecurity fortress vulnerable.
The Solution: Optimising the Software License Estate
The good news however, is that appropriate tools are readily available to do this. Software License Optimisation solutions are already being deployed globally by organisations to help them ensure continual compliance with their software license agreements. These solutions are also being deployed to help ensure optimisation of software spend by helping organisations buy only what they need and use what they have.
Some of these Software License Optimisation solutions can also help organisations comply with their SANS Critical Security Controls for software and hardware inventory. The best strategy is to understand what data sources are available within the organisation and use them first. Then, deploy and use the additional features of the Software License Optimisation tool to arrive at an accurate and updated picture of your inventory.