Configure clients so that only software known to the organisation is able to execute. Keep in mind that software can execute even if not installed. a) On employees’ clients one should explicitly allowlist all programmes that will be running on the device, ideally by having permitted source code signed by a trusted party who can also quality-assure the code against the operating system’s application criteria. In practice, the code could be signed by the device provider’s app store, alternatively also in the organisation’s own app store. If required, the selection of applications in a supplier’s app store could be restricted by allowlisting only required applications (e.g. with tools like Mobile Device Management – MDM). b) If an app store is not used, one should use application allowlisting. Use file folder-based allowlisting, as allowlisting individual applications is usually too time-consuming. c) If required, one can also refine the application allowlisting further by setting it to denylist any unwanted provider-signed programmes for defined user groups, e.g. one can explicitly block any built-in script engines (keep in mind that script engines such as powershell*.exe can provide an unnecessarily large attack surface if end users are permitted to execute them) one does not want end users to be able to run (only administrators). d) The software that accompanies some documents (e.g. macros) also provides a large attack surface. To reduce this attack surface, one should i) remove unwanted software from external documents and emails before they reach the users, e.g. in the firewall, ii) deactivate the option to run such software for users who do not need it, and iii) explicitly allowlist software in documents that the users actually need, e.g. by using digital signatures.
Only software approved by the organization can be run on the devices. The organization should:
The organization must have list of approved applications, and application sources, that are allowed to be used on the organization's endpoint devices.
The organization should, if possible, execute management of approved software using automation for example with policies from mobile device management system.
Mobile Device Management (MDM) helps secure and manage staff mobile devices, whether they are iPhones, iPads, Android devices, or Windows devices. E.g. a Microsoft 365 subscription includes the basics of mobile device management.
Mobile device management system can be used to e.g. configure device security policies, wipe remotely and get accurate device usage reporting.
Our organization has defined policies in place to prevent or at least detect the use of unauthorized programs.
Our organization has defined policies in place to prevent or at least detect the use of unauthorized programs on mobile devices (e.g. smartphones, tablets).
The software that accompanies some documents (e.g. macros) also provides a large attack surface. To reduce this attack surface, one should remove unwanted software from external documents and emails before they reach the users, e.g. in the firewall, deactivate the option to run such software for users who do not need it, and explicitly allowlist software in documents that the users actually need, e.g. by using digital signatures.
In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.
.png)
Elevate Your Knowledge with Exclusive Access to Weekly Webinars, Video Courses, Help Articles, and Blogs.
