Happy Sunday Friend!

Welcome back to another musing! I’m glad you’re here. Here are your Sunday Musings, a quick dose of what I’m exploring and thinking about. If you find it useful, please feel free to forward this along to friends!

Quote I’m Musing

“Now, what does the title 'citizen' mean? In this role, a person never acts in his own interest or thinks of himself alone, but, like a hand or foot that had sense and realized its place in the natural order, all its actions and desires aim at nothing except contributing to the common good.”

-Epictetus

We work to become better leaders, better teammates, better friends and family. As Seneca observed, there’s a name for a self-indulgent person who pays no attention to their impact on others - Tyrant.

I’m not convinced our success means anything if it is at the expense of others. Life is a team sport. We’re all in it together. And (so far) every, tyrant, great leader, and humble beggar has reached the same ending. Nourish a strong sense of community and connection, our sympatheia (mutual interdependence).

Reflection on Control #1

Last week we talked about asset inventory. Reviewing it really brought home the need to go beyond rote memorization and technical application for the controls. Inculcating business sense to security and security practice to business really makes the difference.

CIS Critical Security Control #2

Inventory and Control of Software Assets

Know what is running on your endpoints (and what shouldn’t be).

In the world of cybersecurity, the CIS (Center for Internet Security) Critical Security Controls provide a framework for securing digital environments. In this article, we delve into Critical Security Control #2, which acts as the bedrock for a robust security posture.

Before we start, you can pull your own copy of all the controls from the Center for Internet Security’s Critical Security Controls.

What is it?

Version 8 drops the 10 requirements to seven safeguards.

In Control 1, we cataloged all the endpoints that are supposed to be on our infrastructure and eliminated those that shouldn’t be. Now we’re doing the same for software on those endpoints.

The theme to our second asset management control is focusing on managing software assets within the organization. Maintaining an accurate inventory and exercising control over software lets us minimize vulnerabilities and unauthorized access. This control encompasses seven key safeguards:

2.1 Establish and Maintain a Software Inventory

This safeguard entails creating and maintaining a catalog of all authorized software to prevent unauthorized installations, reducing the potential attack surface.

Implementation Note: The catalog can be as simple as a csv or a full asset management database. I’d recommend beginning by conducting an inventory assessment to identify all software assets in use across the organization. This assessment should include both authorized and unauthorized software. The key is identifying and cataloging everything on our network. Automation is a good way to go here, supported by safeguard 2.4.

2.2 Ensure Authorized Software is Currently Supported

Try to only authorize currently supported software. Vendor-provided security patches and updates mitigate the risk from unpatched vulnerabilities by reviewing software support regularly.

Implementation Note: Make sure we have a plan in place for required software that is no longer supported by the vendor to assess the risk, implement further controls, and a plan to migrate off the software as soon as possible. Key here is Identifying what necessary software on our network is supported or what is unsupported, then mitigating risk.

2.3 Address Unauthorized Software

Determine what we are going to do about unauthorized software. Remove it from enterprise assets or document exceptions with appropriate controls. Addressing unauthorized software reduces our exposure to potential security breaches and compliance violations.

Implementation Note: Comparing our inventory (2.1) to our active network regularly (monthly at least) lets us quickly remove or quarantine any anomalous software. The key here is responding from a proactive posture, not reactive flat footed.

2.4 Utilize Automated Software Inventory Tools

Use software inventory tools to automate discovery and documenting installed software, enabling efficient tracking and management for software assets across our organization.

Implementation Note: Manually cataloging and updating is tedious and time-consuming; meaning lots of opportunity for user error. Find an automation tool that meets your needs and budget that can scan and populate your inventory database. The Key function here is Detecting assets in a way that postures us for proactivity and agile response.

2.5 Allowlist Authorized Software

Create technical controls like application allowlisting to ensure that only authorized software can execute or be accessed. This control reduces the risk of unauthorized software compromising the organization's systems.

Implementation Note: It is important to know the difference between a blocklist and an allowlist. Blocklists prevent specific undesirable programs from executing, while allowlisting limits execution when something has been explicitly permitted to run. One of the most important safeguards to implement. Focuses on Protecting assets and gives better insight for locating and isolating unauthorized software.

2.6 Allowlist Authorized Libraries

Implement technical controls to allow only authorized library files (.dll, .ocx, .so, etc.) to load into system processes while blocking unauthorized ones. By restricting libraries, organizations reduce the risk of malicious code execution.

Implementation Note: This is the same concept as 2.5. Focuses on Protecting assets and gives better insight for locating and isolating unauthorized software.

2.7 Allowlist Authorized Scripts

Employ technical controls, such as digital signatures and version control, to allow only authorized scripts to execute, mitigating the risk of unauthorized or malicious script execution.

Implementation Note: We’re likely going to need script interpreters for our software installations and routine admin tasks. Accepting that and implementing controls to restrict what a malign actor can do on a compromised system closes the security gap. Admins could also define which users are allowed to run these scripts.

How Do We Implement It?

What software is running?
Is it authorized?
If not, why is it on our infrastructure?
What is it being used for and who is using it?
Should it be authorized and managed or should it be removed?
What is our documented process for software approval or denial?

These are my big questions in this respect. It goes into the logical yes and no, but also into the politics and optics of relationship management. We can’t know everything, but we can learn, evaluate, and understand before we make a decision or recommendation. Some lenses I use are attack surface minimization, vulnerability management, access controls (ABAC), streamlining compliance and security efforts, and safeguarding business continuity.

Why Should We Care About Control #2?

Imagine building a car without solid steering or reliable brakes. It would lack the essential foundation for safety when maneuvering around the competition or simple direction changes, just as a weak cybersecurity strategy exposes an organization to significant risks.

CIS Critical Security Control #2 serves as the building blocks for a secure cybersecurity foundation. By effectively managing software assets and implementing the associated safeguards, we reduce vulnerabilities, protect valuable data, and fortify our defenses against cyber threats. This control is key to establishing a resilient security posture in an ever-evolving digital landscape.

Again, this lets us minimize disruption, demonstrate risk reduction, integrate with the other business functions, and be agile when it’s time to extend to the next big thing (cloud, IoT, etc.)

The Physics of Leadership

I had the opportunity to chat with my new boss this past week. We discussed the organization, goals, and the like. Then we got into a really great discussion about the future and leading during periods of great change. I pulled two major conclusions I wanted to share with you.

No Traction Without Friction

Physics, it seems, can teach us a lot about getting things done. For anything to move (outside of a vacuum), we must have some kind of friction.

There’s good friction, the friction that is necessary for movement in the direction we need to go. Things like a First Attempt In Learning (F.A.I.L.), constructive criticism, verifying and validating hypothesis by challenging the idea, etc. Then there’s bad friction. This has many forms, resistance to change, the frozen middle, intentional sabotage, etc.

The key here is to seek out and welcome as an old friend the former, and to quickly identify the latter and overcome it.

Centripetal Force and Change Management

Home experiment time! Grab a piece of string (or a usb cable) and tie a rock, or some earbuds or something to one end.

Now spin it clockwise above your head. It starts out low and slow; then it picks up momentum and rises to be level with your hand, right?

Now quickly change direction. Spin your hand counterclockwise. What happened?

Likely chaos. Your hand changed direction quickly, the string went slack, but the centripetal force kept the far end moving clockwise until the string caught up with your hand, then jerked the rock, or earbuds or something off its track (maybe something went flying off?) and then it had to start all over, slow to fast, low to high.

Great Eric, what’s the point?

OK, bear with me….

Leadership/Headquarters is your hand.

Your people are the rock, or earbuds, or something at the end of the string.

The string is your communication mechanism.

It’s a simple endeavor to change direction at the center of the movement. But a quick, unexpected change in direction (no matter how forceful) results in chaos and sometimes loss at the far end. Moreover, while your hand was spinning somewhat slowly, the speed at the end of that cable or string has to be much, much faster to keep up with just the regular flow of movement.

Now try it again, but this time, once you’re up to speed, find a way to not cause chaos.

Slow down to a stop at the center gradually, then change direction is one way.
Instead of going the opposite direction immediately, try changing the angle of the spin rotationally until you end up in the opposite direction.

The point is, it takes some creativity (and acrobatics in some cases) to lead change. You have built momentum within your team, your organization. A lot of energy and effort has been put into getting everything spinning in the right direction.

Change is going to happen. Leading change is about reducing the chaos and hopefully not sending those people moving the fastest (work) off the team.

I would love your feedback!

Which musing is your favorite? What else do you want to see or what should I eliminate? Any other suggestions? Just send a tweet to @erichaupt on Twitter and put #SundayMusings at the end so I can find it. Or, eric@erichaupt.com for long form email.

Have a wonderful week, I’ll see you Sunday.
-e