Critical Software - Definition & Explanatory Material

Identity, credential, and access management (ICAM)

Software that centrally identifies, authenticates, manages access rights for, or enforces access decisions for organizational users, systems, and devices

• Identity management systems
• Identity provider and federation services
• Certificate issuers
• Access brokers
• Privileged access management software
• Public key infrastructure

• Foundational for ensuring that only authorized users, systems, and devices can obtain access to sensitive information and functions

Operating systems, hypervisors, container environments

Software that establishes or manages access and control of hardware resources (bare metal or virtualized/ containerized) and provides common services such as access control, memory management, and runtime execution environments to software applications and/or interactive users

• Operating systems for servers, desktops, and mobile devices
• Hypervisors and container runtime systems that support virtualized execution of operating systems and similar environments

• Highly privileged software with direct access and control of underlying hardware resources and that provides the most basic and critical trust and security functions

Web browsers

Software that processes content delivered by web servers over a network, and is often used as the user interface to device and service configuration functions

• Standalone and embedded browsers

• Performs multiple access management functions
• Supports browser plug-ins and extensions such as password managers for storing credentials for web server resources
• Provides execution environments for code downloaded from remote sources
• Provides access management for stored content, such as an access token which is provided to web servers upon request

Endpoint security
 

Software installed on an endpoint, usually with elevated privileges which enable or contribute to the secure operation of the endpoint or enable the detailed collection of information about the endpoint

• Full disk encryption
• Password managers
• Software that searches for, removes, or quarantines malicious software
• Software that reports the security state of the endpoint (vulnerabilities and configurations)
• Software that collects detailed information about the state of the firmware, operating system, applications, user and service accounts, and runtime environment

• Has privileged access to data, security information, and services to enable deep inspection of both user and system data
• Provides functions critical to trust

Network control

Software that implements protocols, algorithms, and functions to configure, control, monitor, and secure the flow of data across a network

• Routing protocols
• DNS resolvers and servers
• Software-defined network control protocols
• Virtual private network (VPN) software
• Host configuration protocols

• Privileged access to critical network control functions
• Often subverted by malware as the first step in more sophisticated attacks to exfiltrate data

Network protection

Products that prevent malicious network traffic from entering or leaving a network segment or system boundary

• Firewalls, intrusion detection/ avoidance systems
• Network-based policy enforcement points
• Application firewalls and inspection systems

• Provides a function critical to trust, often with elevated privileges

Network monitoring and configuration

Network-based monitoring and management software with the ability to change the state of—or with installed agents or special privileges on—a wide range of systems

• Network management systems
• Network configuration management tools
• Network traffic monitoring systems

• Capable of monitoring and/or configuring enterprise IT systems using elevated privileges and/or remote installed agents

Operational monitoring and analysis

Software deployed to report operational status and security information about remote systems and the software used to process, analyze, and respond to that information

• Security information and event management (SIEM) systems

• Software agents widely deployed with elevated privilege on remote systems
• Analysis systems critical to incident detection and response and to forensic root cause analysis of security events
• Often targeted by malware trying to deactivate or evade it

Remote scanning

Software that determines the state of endpoints on a network by performing network scanning of exposed services

• Vulnerability detection and management software

• Typically has privileged access to network services and collects sensitive information about the vulnerabilities of other systems

Remote access and configuration management

Software for remote system administration and configuration of endpoints or remote control of other systems

• Policy management
• Update/patch management
• Application configuration management systems
• Remote access/ sharing software
• Asset discovery and inventory systems
• Mobile device management systems

• Operates with significant access and elevated privileges, usually with little visibility or control for the endpoint user

Backup/recovery and remote storage

Software deployed to create copies and transfer data stored on endpoints or other networked devices

• Backup service systems
• Recovery managers
• Network-attached storage (NAS) and storage area network (SAN) software

• Privileged access to user and system data
• Essential for performing response and recovery functions after a cyber incident (e.g., ransomware)