What are the most common findings in a formal cybersecurity risk assessment, in regards to software inventory and controls?
In the video below, Mike Smith explains how simply a lack of inventory is the obvious, yet most common finding, in this aspect of your company’s security. He explains the implications and gives you some easy steps to do something about it.
Want Mike’s recommendations on the best companies to quote for a formal cybersecurity risk assessment, for your organization? Click the button below and ask him today.
About Mike
Mike Smith is the Founder and President of AeroCom and has been helping companies with telecom and cloud services since 1999. He has been the recipient of numerous business telecommunications industry awards, including being recognized as one of the top 40 business people in Orange County, CA., under 40 years old. You can also hear him as the host of the popular Information Technology podcast, ITsmiths with Mike Smith. Follow Mike on YouTube, LinkedIn, Reddit and SpiceWorks.
Transcript
Your company is looking into possibly getting a cybersecurity risk assessment, but I know you. You’re probably like me, and before you get the assessment, you’re probably thinking, “Okay, what things around the house can I clean up a little bit to make sure I don’t look bad?”
Kind of like if you go to take your car to the car wash, you make sure you kind of clean out some of the junk that’s sitting in the cup holder first and things like that, so they can get down deeper and clean it deeper, right? You don’t want to just leave a bunch of stuff everywhere in the car, then take it to the car wash. And they got to move all that stuff around, and they don’t really get to do a deep clean because all your stuff’s kind of sitting there anyway. So it’s kind of the same or similar concept as that.
Before you get a cybersecurity risk assessment, you really want to make sure that you do the easy stuff. You want to get all your stuff in order. So I wanted to do a quick video series. You might have seen some of my other ones, but wanted to do a series on common findings of a cybersecurity risk assessment so that you can watch this before you get your formal assessment and just kind of clean house a little bit.
Why CIS?
So today’s video is going to be on CIS control number two. So as we go through this, I’m using the CIS framework to use as a structure to through a cybersecurity risk assessment. And today, it’s control number two, which is inventory and control of software assets. I’m using the CIS framework because it’s just easier. It’s 18 controls as opposed to the NIST framework, which is over a hundred. And I don’t want to make a video series with over a hundred different videos, so just using a real simple framework that I like a whole lot, which is the CIS framework.
So today’s video, control number two of the CIS framework, which is asset inventory and control of your software assets, okay? So common findings there.
Shortcut
But before I get too far into the video, just a quick little advertisement … Don’t forget to like and subscribe to the channel. And also, if you want my recommendations for the best cybersecurity risk assessment companies to quote for your organization based on your organization’s requirements, don’t just google it. Actually contact me via email or by phone (714.593.0011). That’s my job. I’m a broker for all these different companies. More information on that at the end of the video.
Common Findings
Alrighty. So what are the most common findings inside of control number two of the CIS framework, which is inventory and control of software assets? Well, kind of like control number one, this is another really obvious one. When outside firms come in to do a cybersecurity risk assessment and they’re following the CIS framework, the most common finding of control number two is that companies simply don’t have an adequate inventory of their software assets.
That’s just really easy. They don’t have an inventory. They don’t have a system of taking an inventory a lot of times, or maybe the system they have is an Excel spreadsheet. And it’s totally outdated. It’s not anything that you can actually rely upon. So that’s an easy one.
You can’t protect what you don’t know about.
And what that creates in terms of problems for companies is, number one, obviously, if some of your software is not identifiable, you can’t protect what you don’t know that you have. I mean, that’s easy. That’s what I said in the last video on the control number one.
Expired Software
Then on top of that, if you have software that the licensing has expired and you haven’t upgraded the license or things like that or you have users who are using pirate versions of software, things like that, it could be a licensing issue that your company is facing. So you definitely don’t want to get your company into financial trouble with licensing issues out there on software. Another thing, obviously, is shadow IT. So are users downloading different software applications that you’re not aware of, which could leave your entire company at risk of a cyber attack? So big deal there.
Outdated Software
And then last but not least, if you’re not aware of what software versions you’re running out there … Maybe there’s some older versions of software that are actually allowed on the network but are out of date, have not had the latest patches for whatever reason, and it’s just out of date, which is vulnerable, obviously, to cyber attacks. That’s one of the easiest things that threat actors do out there when they’re looking for low-hanging fruit is they look for out-of-date software and easy hacks on out of date software, so easy ways to break into old software that just hasn’t had the latest security patches on it. So a lot of problem problems can stem from the fact that you’re just not taking good inventory of the software.
Allowlisting
Okay, so what do you do about it? Well, the easiest thing you could do right away is take advantage of the allow listing features out there with anti-malware software or with endpoint security solutions, things like that. That’s just an easy way to kind of start getting your arms around it. Just make sure you’re taking advantage of the allow listing features that you already have.
Software Tools
And then to take it a step further, use the software inventory tools that are out there. Take advantage of some of those tools. Look into them. Maybe purchase some software inventory tools that detect all the software in the network at all times and the versions that they have when they’re installed. You can put in what purpose they’re for, all that type of stuff.
In Summary
So use some tools out there. Don’t just use an Excel spreadsheet because it’s not going to be good enough, and it’s really hard to keep those things updated at all times. Especially, you don’t know things like shadow IT, things like that you just can’t see. So manmade tools in terms of just manual checks, things like that, just aren’t quite good enough, so definitely something that you can do right away. Take advantage of allow listing, and then if you want to take it a step further, get some software that will allow you to take better software inventory.
Want some recommendations?
All right, so I hope that was helpful. Again, if you want my recommendations on the best cybersecurity risk assessment companies that you should be quoting for your organization for a formal risk assessment, don’t google it. Don’t try searching on the internet. You’re going to be searching for a long time, and you’ll probably find the wrong companies. There’s hundreds of them out there, and based on your company’s requirements, there’s a small handful that you should be quoting. I’m aware of those companies. I’m a broker for all these different service providers out there. I’ve been doing this for a lot of years. I have a lot of access to the right context within these companies, and I can oversee the quoting process, oversee the demo and conversation process.
So reach out. Ask me. Email or call me (714.593.0011). I’ll ask you a few questions about your organization, and within a few minutes, I can get you to the right people. And the nice thing is that if you find something that you like, those service providers pay me my broker fees, so you don’t have to pay me at all. So there’s no excuse not to at least reach out and see what I have to say.
And if you like the video, don’t forget to hit the Like button down below and subscribe to the channel, so we can get rid of the advertisements. So reach out and contact me. Happy to help. Hope you like the video. Catch you on the next one.
Related Content
Cybersecurity Risk Assessment Common Findings: Asset Inventory and Control
When you're performing a cybersecurity risk assessment for your company, what are some of the most common […]
Network Infrastructure Management | Cybersecurity Risk Assessment Template
What is the best template to use for a cybersecurity risk assessment, for Network Infrastructure […]
Cybersecurity Risk Assessment Template: Data Recovery
What is the best template to use for a cybersecurity risk assessment, for Data Recovery?
In this video, […]
Cybersecurity Risk Assessment Template: Malware Defenses
What is the best template to use for a cybersecurity risk assessment, for Malware Defense?
In this […]
Cybersecurity Risk Assessment Template: Email and Browser Protection
What is the best template to use for a Cybersecurity risk assessment, for email and browser […]
Cybersecurity Risk Assessment Template: Audit Logs
What is the best template to use for a cybersecurity risk assessment, for Audit Logs?
In this video, I […]