Security baselines

cbolar

Hey Team,

I'm currently working testing CIS baselines for Windows 10 and have come across some difficulty with helping other departments understand why it's needed. How do you approach other's that have difficulty understanding things from the security perspective? I'm new to the security field, it's provided some excellent opportunities but also some interesting challenges.

I don't want to approach this in a "I'm right, you're wrong" sense. Yes I can prove it and show the data. I want to help them understand that it's going to take time to perform testing and go through working sessions to see what's "broken".

Feel free to drop some suggestions or share some challenges you've faced.

shochan

https://nvd.nist.gov/ncp/checklist/629

TechGuru80

Helping them understand what exactly? Using CIS baselines, baselines in general, not getting hacked?

cbolar

Using the CIS baselines and why testing is critical before rolling out to production. Things are locked down in my test gpo a lot further than people are used to. I had a meeting shortly after the post and I think it went well. I'm hoping that it sinks in with the less technical members of the team.

636-555-3226

A crappy answer for you, but in my opinion the best way to succeed with security is the top-down approach. The board/owners/executives/CEO/whoever needs to adopt a formal stance & tell IT (and others) that the strategy going forward is a "secure by design" or "secure by default" approach. This flips things around on people. Instead of you having to prove to them why you need to do x, y, z, the default is you are doing those things unless there's a valid reason NOT to. the burden is on nay-sayers to prove you shouldnt do it in that case, and when it comes down to that people don't have time to prove every little nitty gritty point and end up just going along with things. It's easy for them to tell you you need to prove things, but when it comes to them having to prove you shouldn't do stuff they tend to lose interest quickly.

my advice is work the top-down approach. meet with however many execs you can, go in with tons of relevant news articles regarding other companies in your industry that had a bad day, and see what kind of support you can get that way.

my org adopted the CIS benchmarks. started with level 1, just applied them en masse to entire departments at a time. waited a few weeks, see what broke (nothing), and then expanded it to more. eventually we found old legacy apps that needed some settings. in that case we stripped out those settings & kept the rest. once the entire org is on level 1 start slowly adding level 2 settings and see what breaks.

TechGuru80

I’m guessing based on what you are saying that security rolls up to the CIO...which is really scary if they don’t know testing is necessary.

What industry are you in? You MUST have the top of the organization supporting the initiative or you will fail. Culture changes are difficult, and more than likely the biggest battle you will have is users being able to install whatever applications they want. When you do start to implement, definitely follow a phased approach...start with users that will need very little customization...sales/finance type people would probably be good choices but I could see others being good choices as well. If you have DEV they will probably fight you so be careful there.

cbolar

Thankfully we've adopted most level one base lines. There are a few I've tweaked due to our current policy requiring that we be a little more strict. As far as industry goes I'd like to hold off on saying. My user name and location gives me away.

Culture change is definitely a must, thankfully I have a new director with a very strong technical background that can help if I face any challenges.