Resolve conflicts between security best practices and compliance mandates

1 credit

So, you read a good piece of advice on the internet and think it would improve your security posture. Before providing this advice to management, it is wise to consider whether it is permitted by your security compliance requirements or if it can become an acceptable exception to your compliance models.

Many of you work for companies that have multiple compliance mandates. The larger and more international your business, the more the alphabetical soup of technology compliance regulations must be followed: the European Union’s General Data Protection Regulation (GDPR), the US Data Portability Act, and Data Accountability. Health Insurance (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), National Institute of Standards and Technology (NIST) guidelines, Federal Information Security Management Act (FISMA) and controls from the Center for Internet Security (CIS) to name a few.

These regulations will contain recommendations and controls that you may need to review before changing your network defenses to ensure you remain in compliance. Tracking compliance patterns is usually a full-time job.

Windows Updates Checked or Unchecked

Some mandates may surprise you given the changes we have seen in our networks over the past few years. A concrete example is how you handle Windows updates. Some organizations’ updates are no longer controlled by Windows Software Update Services (WSUS), but compliance regulations have not tracked how we deploy updates.

The old mandate was clear: don’t let system updates run wild. As the section notes for Server 2012 R2 state: “Unchecked system updates can introduce problems into a system. Obtaining update components from an external source can also potentially provide sensitive information outside of the company. Installation or repair of optional components must be obtained from an internal source. »

Using WSUS and then setting Group Policy that your machines can get .Net 3.5 components from the internet is not recommended with this setting. As indicated, it is recommended to:

“Configure the policy value for Computer Configuration -> Administrative Templates -> System -> ‘Specify settings for installing and repairing optional components’ to ‘Enabled’ and with ‘Never attempt to download payload from Windows Update’ selected.”

So can you let your servers independently connect to Windows Update for Servicing when installing and deploying .NET 3.5? The answer is “it depends”. For some companies, you may be required to follow your industry’s compliance model. Others may be able to request exceptions based on your business needs and security.

Even Windows Server 2019 has requirements not to use more modern update features. For example, Server 2019’s mandate is not to check for updates on other network devices using peer-to-peer update technology known as Delivery Optimization. . As indicated:

“Windows Update may obtain updates from additional sources instead of Microsoft. In addition to Microsoft, updates may be obtained and sent to PCs on the local network as well as the Internet. This is part of the trusted process However, to minimize outside exposure, updates should not be obtained or pushed to systems on the Internet.

To ensure systems will not have this setting, you need to “Configure Policy Value for Computer Configuration >> Administrative Templates >> Windows Components >> Delivery Optimization >> “Delivery Mode Download” to “On” with any option except “Internet” chosen.”

Patching VMs in Microsoft Azure

Even when using technology such as Azure, you must adhere to compliance mandates, for example, that virtual machines in Azure be updated with patches. The recommendation is to use Azure Security Center to examine the status of Windows and Linux virtual machines. You can also use third-party patch software to keep systems up to date.

Verification of new technological platforms

You may need to review and approve new technology platforms before deploying them. Take, for example, Intune, Microsoft’s new platform for managing and controlling desktops. CIS has an audit template for deploying Intune. Things to look at range from settings to authentication.

Best Practices for Passwords vs. Mandates

Benchmarks recommend password settings that are questionable and could cause more problems with password management.

As the Tenable audit page points out, for example, the recommended password age settings in server templates and with Intune are 60 days or less.

However, recent research has indicated that if multi-factor authentication is used with better authentication technology such as Windows Hello or other biometric options, password expirations can be set to longer than 60 days and may even be completely disabled. Your organization may need to request an exception to certain compliance templates because your choices make your organization more secure, not less.

Regulatory and guidance resources

The Center for Internet Security site asks you to allow you to download PDFs of advice ranging from Apple devices to Cisco devices to firewalls and printers, once you provide an email address and information about the company.

I recommend that, in addition to downloading the tips, you sign up to participate in the benchmark community so you can ask questions and participate in discussions. Often in these referral communities, you find like-minded participants who can help you with your compliance project.

If you are studying new technologies and platforms, these reference documents can help you with your deployment projects.

The CIS includes guidance for technologies such as Apple macOS 12.0, Apple macOS 11.0 Big Sur, Apple macOS 10.15 Catalina, Apple macOS 10.14 Mojave. If you’re currently looking for guidance on best practices for deploying Apple desktops, these documents will help you with your initial deployment and research into new technologies.

Compliance is a necessary mandate for almost any size business. Your goal is to find the balance between choosing the right direction and adopting new technologies that will bring more security to your business.

Join the newsletter!

Error: Please verify your email address.