CISSP Software Asset Management – Bk1D2T3St2

Software Asset Management
Software asset management (SAM) is a key part of continuous monitoring. The approach described here is intended to support the automation of security functions such as risk based decision-making, collection of software inventory data, and inventory-based network access control. SAM, from a security perspective, includes vulnerability scanning and application patching for operating systems, third-party applications, and firmware. Too many firms fail to scan environments, act on vulnerabilities, and keep security patches current, and therefore suffer the consequences. News headlines illustrate failure to remediate known software vulnerabilities appropriately. Take note of the WannaCry virus in May 2017 that exposed flaws in the Windows operating system (OS) or the attack on Apache Struts in the summer of 2017 that took advantage of unpatched third-party software. A sufficient SAM program consists of the following:

  • Inventory of applications
  • Current list of known vulnerabilities
  • Prioritization of each vulnerability by risk level
  • Each application patch level
  • Actions to patch or apply alternative or compensating controls

The correct approach to SAM can reduce serious disruptive and damaging events such as ransomware, denial of service, or unauthorized access to systems via credential harvesting. Enterprise patch management is a key part of keeping software assets up to date and secure. The process relies on having a current and complete inventory of the patchable software (applications and operating systems) installed on each host. Without this information, the correct patches cannot be identified, acquired, and installed. This inventory information is also necessary for identifying older versions of installed software so that they can be brought up to date.

Software Licensing
An inventory of software licenses should reside within the asset management system. The inventory can be managed by manual methods like spreadsheets or through automated systems, such as inventory tracking systems. The terms and right to use software are outlined in a license, a legally binding agreement. All software must be legally licensed before it may be installed. If software is used without a license and is discovered during an audit, there can be legal repercussions. Most likely, the unlicensed software use will cause unanticipated increases in software costs. The library of software licenses should be protected with technical controls for access as well as with complementary physical controls, like a safe. Periodic scans should be run to find and remediate unauthorized and unlicensed software. The security implications of software licensing center around the unknowns of software running illegally on the network. Without proper licensing, manufacturers are likely not providing upgrades and updates, which can increase the chances of the system being compromised. Using NIST SP 800-53 (Rev 4), security professionals should ensure that the required software and associated documentation are in accordance with contract agreements and copyright laws. The controls call for tracking software use to prevent unauthorized copying and distribution.

Note The use of peer-to-peer file sharing technology should be monitored to ensure that the technology is not used to enable unauthorized distribution, display, performance, or reproduction of software to avoid licensing requirements.

Related Product : Certified Information System Security Professional | CISSP

Licensing Models
There are several prominent types of licensing models. Each has benefits that are best leveraged in specific operational situations. In other words, the organization should select licensing models based on how the software is going to be used. Vendors of software may offer variations on the major licensing models. The results are many types and permutations of licensing models too numerous to be addressed in this chapter. Keep in mind that the principle function of software licensing is to permit an end user to use the software in a prescribed manner without violating copyright laws. Every new copy of a piece of software that is installed has its own unique license code, regardless of whether it has previously been installed. Various types of licensing models exist, including the following:

  • The most commonly used type of license is the end-user license agreement (EULA). This type of license is used for all of the paid-for software and is a legal the advantages of accommodating multiple users, sometimes unlimited users, can be cost-effective over the longer term. Site licenses can help organizations avoid software usage penalties and expensive increases when usage is reviewed by the contract between a software application author or publisher and the user of that application.
  • A site license is a method to obtain multiple end-user licenses at one cost. The same piece of software is available to a negotiated number of users (or seats, as the number is sometimes called). The cost of a site license may seem prohibitive, but vendor.
  • A subscription software license is a multiple-user or organizational-level license option that generally includes software maintenance, product upgrades, and access to technical and developer support for a negotiated period of time. A benefit of this model is that it reduces the chances of illegitimate copies or unauthorized users in an organization having access. It is more expensive than a per-license option. But if the cost of adjusting licenses at periodic reviews (called the true-up process) or fines levied for copyright infringement are considered, subscription licensing is a favorable alternative for purchasers. A security implication for subscriptions is that software currency is enterprise-wide. Legacy software platforms that require particular patching (if patches are developed) or maintenance attention cost time and effort that could be reallocated.
  • A perpetual license is like a subscription in that one fee is paid and a negotiated number of users can use the software. There will likely be a term of service that will include upgrades, updates, support, and maintenance from the developer or a representative. However, unlike subscription software licenses, perpetual licenses are valid forever, not for a prescribed period of time. However, vendor support will be limited to a period of time. The other caveat is that the perpetual license usually stipulates a specific version of the software. The terms and conditions for maintenance and upgrades may extend the versioning, but the perpetual license will apply to a certain version of the software. Updates may be provided, but not in perpetuity and not for free.
  • A consumptive license is a negotiated arrangement for an up-front payment for a specified period of time, too. The difference is that the arrangement also includes a pay-as-you-go cost for each use. The volume of use is reviewed periodically. Payment for use could be provided prior to the review, but typically the cost is settled upon review. This version is the most flexible, but it requires the most management from the organization or purchaser, as periodic review must coincide with budget planning and oversight activities. With the advent of cloud computing, access to software as a service (SaaS) has become a method for organizations to gain the use of applications. There can be one user or multiple users at a time, but the owner of the software provides no access to source code. Application development is limited to presentation layer customization. SaaS, it must be noted, is not a type of software licensing. It is an example of a technology service that should be managed by other service-level agreements. The software access is provided as part of a hosting agreement. That hosting agreement addresses access and authorized use of the software.

Note Open-source software is not necessarily free of licensing considerations. Often, security practitioners can examine the source code, while application and system developers are allowed to study, change, and improve the software. However, open-source software does have constraints on how users can use the derivatives of the software.
Tip Freeware is a special type of licensing category that requires no purchase, but the source code and copyrights are retained by the developer.

Software Library
Central to the software library is the approved product list (APL) that the organization maintains. This list contains all the software that is tested and approved for use by authorized individuals. The inventory helps security professionals assess the vulnerability management of the assets as well as assist procurement staff with licensing requirements. According to the Center for Internet Security (CIS) Basic Set of Critical Controls, security professionals must have an inventory of and control of software assets. The significance of the software library in a security context is that the organization without one does not have control of or access to code updates of software developed internally. This can lead to increased risk of compromise. In this sense the software library is a repository of data and programming code that is used to develop software programs and applications. Within the library are prewritten code, classes, procedures, scripts, configuration data, and more. The software library can be connected to a program to achieve more functionality or to automate a process without writing additional code.

Monitoring and Reporting
From a security perspective, an asset management process must include processes for endpoint and network node monitoring and reporting. Many organizations use automated scanning tools integrated into their reporting environment to ensure that the endpoints and nodes meet the security baselines and patch levels. These tools can often be configured or used in conjunction with dedicated tools to evaluate the software licensing on the endpoints and nodes. The results of the scans can then be compared to the organization’s definitive APL and approved pre-coded apps. A guide for implementing a software monitoring and reporting process is NIST SP 800-40r3. This guidance covers identifying which software and versions of software are installed on each host.
There are several measurements that security professionals can use to conduct reporting and monitoring:

  • How often are hosts checked for missing updates?
  • How often are asset inventories for host applications updated?
  • What percentage of software in the environment is not on the APL?

Note Network access control (NAC) is a security asset control process that brings together antivirus, host intrusion prevention, and vulnerability scanning on endpoints and combines them with machine-level authentication to the network to enforce access and authorization controls. In the context of asset security, effective NAC controls can be implemented to ensure that software on endpoints is up to date for patching and licensing concerns are satisfied preadmission (before access to the network is granted) and post-admission (via a scan of all connected devices).

Follow Us
https://www.facebook.com/INF0SAVVY
https://www.linkedin.com/company/14639279/admin/