Back

Block and/or remove unnecessary software and unauthorized software.


CONTROL ID
00865
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization must develop a system to prevent the fraudulent or erroneous acquisition, use, or disposal of assets. They must develop and implement a system that when anything is acquired, used, or disposed of that has not undergone the proper procedures or approvals is immediately identified and… (Practice Standard § I.1(4) ¶ 3, On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • With security in mind, it is necessary to ensure that unused functions are disabled or limited in usage and that unused software is not installed. (P118.8. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • A few other aspects that also needs to be considered include appropriate blocking, filtering and monitoring of electronic mechanisms like e-mail and printing and monitoring for unauthorised software and hardware like password cracking software, key loggers, wireless access points, etc. (Critical components of information security 15) x., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Remove unused software and turn off unnecessary services from computers. (Annex A2: Security of Personal Computers & Other Computing Devices 17, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • PowerShell 2.0 and below is removed from operating systems. (Security Control: 1621; Revision: 0, Australian Government Information Security Manual, March 2021)
  • Internet-facing services, office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed. (Control: ISM-1704; Revision: 0, Australian Government Information Security Manual, June 2023)
  • remove all non-essential accounts, applications and data (Control: ISM-1555; Revision: 1; Bullet 3, Australian Government Information Security Manual, June 2023)
  • Internet Explorer 11 is disabled or removed. (Control: ISM-1654; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Unprivileged users do not have the ability to install unapproved software. (Control: ISM-1592; Revision: 1, Australian Government Information Security Manual, June 2023)
  • .NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed. (Control: ISM-1655; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Windows PowerShell 2.0 is disabled or removed. (Control: ISM-1621; Revision: 1, Australian Government Information Security Manual, June 2023)
  • Unneeded accounts, components, services and functionality of operating systems are disabled or removed. (Control: ISM-0380; Revision: 9, Australian Government Information Security Manual, June 2023)
  • Unneeded accounts, components, services and functionality of server applications are disabled or removed. (Control: ISM-1247; Revision: 4, Australian Government Information Security Manual, June 2023)
  • Unneeded components, services and functionality of office productivity suites, web browsers, email clients, PDF software and security products are disabled or removed. (Control: ISM-1470; Revision: 5, Australian Government Information Security Manual, June 2023)
  • Applications that are no longer supported by vendors are removed. (Control: ISM-0304; Revision: 6, Australian Government Information Security Manual, June 2023)
  • remove all non-essential accounts, applications and data (Control: ISM-1555; Revision: 1; Bullet 3, Australian Government Information Security Manual, September 2023)
  • Internet Explorer 11 is disabled or removed. (Control: ISM-1654; Revision: 0, Australian Government Information Security Manual, September 2023)
  • Unprivileged users do not have the ability to install unapproved software. (Control: ISM-1592; Revision: 1, Australian Government Information Security Manual, September 2023)
  • .NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed. (Control: ISM-1655; Revision: 0, Australian Government Information Security Manual, September 2023)
  • Windows PowerShell 2.0 is disabled or removed. (Control: ISM-1621; Revision: 1, Australian Government Information Security Manual, September 2023)
  • Unneeded accounts, components, services and functionality of operating systems are disabled or removed. (Control: ISM-0380; Revision: 9, Australian Government Information Security Manual, September 2023)
  • Unneeded accounts, components, services and functionality of server applications are disabled or removed. (Control: ISM-1247; Revision: 4, Australian Government Information Security Manual, September 2023)
  • Unneeded components, services and functionality of office productivity suites, web browsers, email clients, PDF software and security products are disabled or removed. (Control: ISM-1470; Revision: 5, Australian Government Information Security Manual, September 2023)
  • Applications that are no longer supported by vendors are removed. (Control: ISM-0304; Revision: 6, Australian Government Information Security Manual, September 2023)
  • Online services, office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed. (Control: ISM-1704; Revision: 1, Australian Government Information Security Manual, September 2023)
  • The procedures for reviewing incoming media for viruses and unapproved software should be included in the Standard Operating Procedures for the information technology security officer. (Control: 0790 Table Row "Data transfers", Australian Government Information Security Manual: Controls)
  • Where you are able to do so, have you removed or disabled all the software that you do not use on your laptops, desktop computers, thin clients, servers, tablets, mobile phones and cloud services? Describe how you achieve this. (A5.1., Cyber Essentials Scheme (CES) Questionnaire, Version 13)
  • Have you removed any software on your devices that is no longer supported and no longer receives updates for security problems? (A6.6., Cyber Essentials Scheme (CES) Questionnaire, Version 13)
  • Is all additional software added to workstations approved by IT or Management staff prior to installation and are standard users prevented from installing software? (Secure configuration Question 14, Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
  • If an upgrade from Mac OS X to Mac OS X 10.4 was performed, an adaptation of Mac OS 9, known as Classic, will remain on the computer. If a new installation was performed, Mac OS 9 will not be located on the computer. Mac OS 9 should be removed from the computer if it is not needed. Mac OS 9 does not… (Pg 33, Pg 69, Pg 84, Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition)
  • Ensure that containers use only trusted base images Description: You should ensure that container images you use are either written from scratch or are based on another established and trusted base image downloaded over a secure channel. Rationale: Official repositories contain Docker images curated… (4.2, The Center for Internet Security Docker Level 1 Docker Linux Benchmark, v 1.2.0)
  • Ensure that containers use only trusted base images Description: You should ensure that container images you use are either written from scratch or are based on another established and trusted base image downloaded over a secure channel. Rationale: Official repositories contain Docker images curated… (4.2, The Center for Internet Security Docker Level 2 Docker Linux Benchmark, 1.2.0)
  • The embedded device shall provide the capability to protect from installation and execution of unauthorized software. (13.4.1 ¶ 1, IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • If the HSM implements firmware updates, the device cryptographically authenticates the firmware integrity, and if the authenticity is not confirmed, the firmware update is rejected and deleted. (B4, Payment Card Industry (PCI), PIN Transaction Security (PTS) Hardware Security Module (HSM) - Security Requirements, Version 2.0)
  • The operating system/firmware of the device must contain only the software (components and services) necessary for the intended operation. The operating system/firmware must be configured securely and run with least privilege. (B18, Payment Card Industry (PCI), PIN Transaction Security (PTS) Hardware Security Module (HSM) - Security Requirements, Version 2.0)
  • The operating system/firmware of the device must contain only the software (components and services) necessary for the intended operation. The operating system/firmware must be configured securely and run with least privilege. (B18, Payment Card Industry (PCI), PIN Transaction Security (PTS) Hardware Security Module (HSM) - Security Requirements, Version 3.0)
  • The device must support firmware updates. The device must cryptographically authenticate the firmware, and if the authenticity is not confirmed, the firmware update is rejected and deleted. (B4, Payment Card Industry (PCI), PIN Transaction Security (PTS) Hardware Security Module (HSM) - Security Requirements, Version 3.0)
  • Mobile devices should be provided with standard technical build configurations that include preventing unauthorized applications from running (e.g., by using 'whitelists' that allow only specified, permitted applications to run or 'blacklists' that forbid specified applications from running). (CF.14.02.04b, The Standard of Good Practice for Information Security)
  • Verify that the application employs integrity protections, such as code signing or subresource integrity. The application must not load or execute code from untrusted sources, such as loading includes, modules, plugins, code, or libraries from untrusted sources or the Internet. (10.3.2, Application Security Verification Standard 4.0.3, 4.0.3)
  • The software inventory tool should monitor each machine for installed unauthorized software and legitimate system administration software installed on inappropriate systems. (Critical Control 2.6, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should implement application whitelisting technology in order to prevent unapproved software from executing and only allowing approved software to execute. (Critical Control 2.3, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The system must be able to detect attempts to install or execute unauthorized software and notify the appropriate personnel inside of 24 hours. In the future, the organization should strive for quicker responses. (Control 2 Metric, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The system must prevent execution, block installation, or quarantine unauthorized software inside of 1 hour of it being detected and notify the appropriate personnel. In the future, the organization should strive for quicker responses. (Control 2 Metric, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The system must prevent execution, block installation, or quarantine unauthorized software inside of 1 hour of detection and send a notification after the action has been taken. In the future, the organization should strive for quicker response times. (Control 3 Metric, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The system must be able to detect and block an application-level software attack attempt and send out a notification to enterprise administrative personnel inside of 24 hours of detection and blocking. In the future, the notification should be sent inside of 2 minutes. (Control 6 Metric, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should closely monitor and/or block dangerous file types, such as ZIP, exe, or msi. (Critical Control 2.6, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should scan the system for unapproved software on a regular basis and generate an alert when it is found. (Critical Control 2.2, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The system should block access to known e-mail exfiltration websites and file transfer websites. (Critical Control 17.8, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Policies and procedures shall be established, and supporting business processes and technical measures implemented, to restrict the installation of unauthorized software on organizationally-owned or managed user end-point devices (e.g., issued workstations, laptops, and mobile devices) and IT infras… (CCC-04, Cloud Controls Matrix, v3.0)
  • Policies and procedures shall be established and mechanisms implemented to restrict the installation of unauthorized software. (RM-05, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that all unauthorized and unmanaged software is found and prevented from installation or execution. (CIS Control 2: Inventory and Control of Software Assets, CIS Controls, 7.1)
  • Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. (CIS Control 2: Inventory and Control of Software Assets, CIS Controls, V7)
  • Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. (CIS Control 2: Inventory and Control of Software Assets, CIS Controls, V8)
  • Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently. (CIS Control 2: Safeguard 2.3 Address Unauthorized Software, CIS Controls, V8)
  • Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently. (CIS Control 2: Safeguard 2.6 Allowlist Authorized Libraries, CIS Controls, V8)
  • Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error check… (CIS Control 16: Safeguard 16.10 Apply Secure Design Principles in Application Architectures, CIS Controls, V8)
  • Use of unauthorized programs and data. An organization should implement safeguards that prevent the use of unauthorized programs and data , which endangers the availability of information stored and processed on the system where that happens, if the programs and data are used to delete information, … (¶ 10.4.18, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • Procedures are in place to scan information assets that have been transferred or returned to the entity's custody for malware and other unauthorized software. Detected malware or other software is removed prior to connection to the entity's network. (CC6.8 ¶ 2 Bullet 5 Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The organization implements appropriate controls to prevent use of unsupported and unauthorized software. (DE.CM-7.1, CRI Profile, v1.2)
  • The organization implements appropriate controls to prevent use of unsupported and unauthorized software. (DE.CM-7.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The embedded device shall provide the capability to protect from installation and execution of unauthorized software. (13.4.1 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and (CM-8(3)(a), StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and (CM-8(3)(a), StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries. (M1042 Disable or Remove Feature or Program, MITRE ATT&CK®, Enterprise Mitigations, Version 13.1)
  • Block users or groups from installing unapproved software. (M1033 Limit Software Installation, MITRE ATT&CK®, Enterprise Mitigations, Version 13.1)
  • The organization should implement controls to prevent viruses, malicious code, and unauthorized software on the systems. (Generally Accepted Privacy Principles and Criteria § 8.2.2 j, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should implement controls to prevent viruses, malicious code, and unauthorized software on the systems. (Table Ref 8.2.2.j, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization has developed and enforces clear policies that restrict the use of public domain and personal software. The organization must use business rules and technical controls to enforce these authorizations and prohibitions. The organization must also prohibit individuals, other than autho… (CSR 6.2.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The System Administrator should ensure unauthorized programs are not added to the system. (§ 2.4, Defense Information Systems Agency UNISYS Security Technical Implementation Guide Version 7 Release 2, 28 August 2006)
  • The Internet Information System (IIS) should not be installed on the system. If it is, it should be removed. (§ 3.12 (5.016), DISA Windows VISTA Security Checklist, Version 6 Release 1.11)
  • PDA synchronization software should not be installed or loaded onto any systems that contain classified information. Examine the documentation to verify that users are told that synchronization software is not to be loaded onto any system containing classified information. (§ 5 (WIR0420), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2)
  • System libraries are managed and maintained to protect privileged programs and to prevent or minimize the introduction of unauthorized code. (DCSL-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Using tools to help discover unapproved open source software. (App A Objective 13:6g Bullet 2 Sub-Bullet 3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The organization should scan the system for unauthorized software to protect against copyright violations. The Security Administrator should monitor and enforce this policy. (Pg 46, FFIEC IT Examination Handbook - Development and Acquisition)
  • Detect the presence of unauthorized hardware, software, and firmware components within the system using [FedRAMP Assignment: automated mechanisms with a maximum five-minute delay in detection.] [FedRAMP Assignment: continuously]; and (CM-8(3)(a), FedRAMP Security Controls High Baseline, Version 5)
  • Detect the presence of unauthorized hardware, software, and firmware components within the system using [FedRAMP Assignment: automated mechanisms with a maximum five-minute delay in detection.] [FedRAMP Assignment: continuously]; and (CM-8(3)(a), FedRAMP Security Controls Moderate Baseline, Version 5)
  • Illegal and non-approved software may not be installed or used at alternate work sites. The organization must ensure users comply with the software usage restrictions on systems containing Federal Tax Information. The organization must develop strict rules regarding the installation of software by u… (§ 4.7.3, § 5.6.14, Exhibit 4 SA-6, Exhibit 4 SA-7, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]; and (CM-8(3)(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]; and (CM-8(3)(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • (§ 3.9.2, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Test the system for prohibited software by using a scanner to list all installed software and comparing that list against the approved software list. (SA-7.6, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and (CM-8(3) ¶ 1(a) High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and (CM-8(3) ¶ 1(a) Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Organizations should maintain a set of trusted images and registries and ensure that only images from this set are allowed to run in their environment, thus mitigating the risk of untrusted or malicious components being deployed. (4.1.5 ¶ 1, NIST SP 800-190, Application Container Security Guide)
  • Enforcement to ensure that all hosts in the environment only run images from these approved lists; (4.1.5 ¶ 2 Bullet 3, NIST SP 800-190, Application Container Security Guide)
  • The organization should use automated mechanisms to detect unauthorized software on the smart grid Information System on a defined time period and notify the appropriate personnel, if discovered. (SG.RA-6 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should use automated mechanisms at predefined frequencies to detect unauthorized software and to notify designated officials. (App F § RA-5(7), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and (CM-8(3)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and (CM-8(3)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and (CM-8(3)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]; and (CM-8(3)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]; and (CM-8(3)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Software is maintained, replaced, and removed commensurate with risk (PR.PS-02, The NIST Cybersecurity Framework, v2.0)
  • Installation and execution of unauthorized software are prevented (PR.PS-05, The NIST Cybersecurity Framework, v2.0)
  • Employs automated mechanisms [TX-RAMP Assignment: Continuously, using automated mechanisms with a maximum five-minute delay in detection] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and (CM-8(3)(a), TX-RAMP Security Controls Baseline Level 2)