CIS IG1 Control 2.3 — Why Unauthorized Software Is a Hidden Threat Lurking on “Trusted” Devices

Most organizations assume that corporate devices only run approved software. In reality, that assumption is often wrong. Users are inherently focused on being more efficient, finding workarounds to meet their timelines, etc. This natural behavior creates blind spots and risks for many organizations and highlights the importance of assessing authorized and unauthorized software use within […]
Speak With An IT Expert

Most organizations assume that corporate devices only run approved software. In reality, that assumption is often wrong. Users are inherently focused on being more efficient, finding workarounds to meet their timelines, etc. This natural behavior creates blind spots and risks for many organizations and highlights the importance of assessing authorized and unauthorized software use within an environment.

CIS Control 2.3 exists because unauthorized software is everywhere—and it quietly increases your attack surface without adding business value.

 

What Is CIS Control 2.3?

This safeguard requires organizations to identify software that is not on the approved list and either remove it or formally authorize it with documented risk acceptance.

If software is running and no one can explain why, that’s a problem.

 

Why Unauthorized Software Is So Dangerous 

It Creates Blind Spots

Security tools, patching processes, and monitoring workflows are typically designed around known software to ensure legitimacy and that any vulnerabilities or flaws are remediated. Not having this awareness creates significant blind spots that attackers exploit and take advantage of. Unauthorized applications often fall outside those guardrails and security protections.

That means:

  • No patching guarantees
  • No vulnerability tracking
  • No security review or awareness of potential data leakage or compromise.

Attackers live in those blind spots and routinely exploit software to bring attacks.

It Often Enters Through Legitimate Users

Unauthorized software isn’t always malicious at first. Common sources include:

  • “Helpful” utilities or widgets installed by employees
  • Freeware or trial software
  • Shadow IT tools for file sharing or remote access

Unfortunately, many breaches start with software that was installed with good intentions; however, this opens to the door to security holes, invisible credential misuse against installed cloud or hosted applications, or data leakage depending on how applications are used. Additionally, user browsing behaviors are encountering unwanted downloads or applications that are bundled in with other software or downloaded simply by going to a legitimate website URL. These applications (known as PuP or PuA) have the potential to harvest data, cookies, and other information for adversaries to use to install other programs.

Malware Frequently Masquerades as Legitimate Software

Some unauthorized software isn’t installed by users at all—it’s dropped by attackers after initial access. As an example, consider why a random remote management software installed on various systems is different than your legitimate RMM solution. Was this left over? Or are there potential signs of compromise? Adversaries today are routinely using remote management software, and if you’re not regularly checking what’s installed, you may never notice persistence mechanisms hiding in plain sight.

 

How SMBs Can Tackle Control 2.3 Pragmatically

 

Compare Installed Software to the Approved List

On a regular basis (monthly is a great start):

  • Pull a list of installed software from endpoints
  • Compare it against your authorized inventory
  • Flag anything that doesn’t belong

This simple comparison is the core of Control 2.3.

 

Remove What Isn’t Needed

If software isn’t required for business operations, remove it. Fewer applications mean:

  • Fewer vulnerabilities
  • Less patching overhead
  • Smaller attack surface

Security often improves by subtraction.

 

Formally Approve What Is Needed (or ask!)

Sometimes unauthorized software turns out to be legitimately useful. When that happens:

  • Add it to the authorized list
  • Assign an owner
  • Confirm support and patching requirements

Alternatively, ask your teams what software and solutions they are using to achieve their functions, objectives, etc. Review the feedback and consider opportunities for allowing this solution. This turns shadow IT into managed IT to drive businesses forward.

 

Automate Detection Where Possible

Leveraging endpoint management tools can alert you when:

  • New software is installed
  • Unknown executables appear
  • Users install applications outside policy

Automation helps you catch issues early—before they become incidents.

 

The Bottom Line

Unauthorized software isn’t just clutter—it’s unmanaged risk.

By adhering to CIS Control 2.3, organizations regain control over what’s running in their environment, improve awareness into user activity, productivity, and risks, and ensures that every application is either:

  • Approved and managed, or
  • Removed entirely

When you know what software is running—and why—your security posture becomes far more predictable, defensible, and resilient.

 

Further reading

Written by on February 3, 2026 Under Cybersecurity, Secure IT operations, Tech Insights, Uncategorized

Further reading