WServerNews: Finding value in compliance

In this issue

Leveraging Compliance for Better Operational Security (Guest editorial by Andrew S. Baker). Ensuring static IP addresses remain static. Old computer manuals never disappear, they just turn yellow with age. Plus lots more — read it all, read it here on WServerNews!

Enjoy this week’s newsletter and feel free to send us feedback on any of the topics we’ve covered — we love hearing from our readers! And please tell others about WServerNews! It’s free and always will be free — and they can subscribe to it here. Thanks!!!

 

Got questions? Ask our readers!

WServerNews goes out each week to almost 200,000 IT pro subscribers worldwide! That’s a lot of expertise to tap into. Do you need help with some technical problem or are looking for expert advice on something IT-related? Ask Our Readers by emailing your problems and/or questions to us at [email protected]

 

Editor’s Corner

This issue features a guest editorial by my colleague Andrew S. Baker. Andrew is the President and Founder of BrainWave Consulting Company, LLC where he provides CyberSecurity and Technology Consulting services for the SMB/SME market. Andrew’s views and recommendations have been featured several times (see here and here) on our TechGenix site, and back in April I interviewed him about what it was like being an IT consultant during the early stages of the SARS-CoV-19 pandemic when the businesses he served faced challenges like enabling their workers to rapidly transition to working from home. I hope you enjoy reading Andrew’s article and learn something that can benefit your own business or organization.

 

Leveraging Compliance for Better Operational Security (Guest editorial by Andrew S. Baker)

Andrew S. Baker is the President and Founder of BrainWave Consulting Company, LLC where he provides CyberSecurity and Technology Consulting services for the SMB/SME market.

Organizations of all sizes are finding themselves under more and more pressure to obtain compliance certification with such standards as PCI DSS, HIPAA, HITRUST, GDPR, SOC 2, and CCPA. Is it possible to make lemonade out of these lemons, or is the prevailing view is that compliance is the enemy of operational security really true?

There are many who believe that compliance undermines good cybersecurity — that compliance is nothing more than a huge waste of time, money and productivity. I cannot agree with this position, and on occasion, I have enjoyed long arguments with some of my best friends and colleagues about this very issue. Today, I’d like to share with you some strategies you can use to harness the compliance efforts that your organization is subject to, so that you end up with better operational security.

At its most basic, compliance is nothing more than proof that you implemented effective controls to ensure good data security and data privacy. That’s it in a nutshell. If you have a good security program — one that is consistent and effective — then passing compliance takes time, but it is not otherwise particularly difficult. The trouble is that many, many organizations do the very least possible that they can do when it comes to security and privacy, and so there needs to be a great deal of effort spent to incentivize them to do it correctly.

Sure, it is entirely possible to approach compliance in a checklist kind of way, where each control is considered in total isolation, and the least possible effort is applied without consideration for any other control. This is the path of failure, and it is the reason why so many organizations which are “compliant” with some standard still get breached by failing basic security hygiene.

Compliance Advantages

Being subject to industry or regulatory compliance affords you, as a security practitioner, some advantages that not many other circumstances do: significant, external business pressure.

To leverage it effectively, you will need to do the following:

  1. Keep your eye on the big picture
  2. Understand that compliance is to obtain proof and validation
  3. Recognize that you have some financial opportunities
  4. Consider workflow and automation improvements
  5. Focus on visibility

1. The Big Picture

The first step to leveraging compliance is to look at it holistically, and not just as a set of disparate controls to be addressed in as shallow a manner as possible. In evaluating any compliance framework, be sure to think long and hard about how all the parts are going to work together. Proper interaction and integration are key to overall success.

Also, since most organizations need to comply with more than one standard, take some time to look at all of the relevant compliance frameworks collectively. Seek to understand what the controls are designed to accomplish, so that you can propose and implement solutions that satisfy multiple controls broadly, across multiple frameworks. Don’t miss the forest for the trees.

For example, consider the “Access Control (AC)” or “Audit and Accountability (AU)” control families from the NIST 800-53 framework. What are these controls intended to validate or verify? This is what your infrastructure and your applications need to be able to implement and support. If you focus on just implementing dozens of controls in the easiest way possible, a lot of time and/or money will be spent, without necessarily gaining much security or privacy.

2. Proof, Not Purpose

Compliance is designed to prove that you have things in place to mitigate your business risks. Compliance is not itself the end-game, although many organizations behave as though it is. Instead, its purpose is to help you objectively validate your true security posture.

If your environment has good access controls in place, this should be provable by the logs that are generated and managed from the infrastructure and the applications. If there is no proof, then the security you belief you have doesn’t really exist.

Because proof is the objective, auditing is critical, as this is the means by which we prove that what we say we are doing, is actually being done. Auditing provides additional benefits such as allowing us to see when unanticipated activities have taken place, and for how long.

Nothing compounds a potential breach more than insufficient logging and auditing. With poor or inadequate logging/auditing, it is difficult, if not impossible to determine when an attack took place, what its full scope was, how long it continued, and what weakness was exploited.

3. The Financials

The best part of most compliance initiatives is that organizations don’t really have a choice. In order to operate in certain markets, or engage certain customers, they need to adhere to one or more compliance standards. As a security practitioner, you should be grateful for this, because you’d have even less of a budget to resolve security and privacy issues were it not for this persistent external business pressure.

If you are taking the big picture approach, you can more easily test, evaluate, and recommend solutions that address your actual security posture concerns, and thus cover as many controls as possible. This approach will cost far less in the long run (and often even in the short run), because you won’t have to try to tie together a dozen poorly thought out “point” solutions that cannot be easily integrated or managed.

4. Workflow and Organization

Undergoing a compliance initiative offers an opportunity to change the way some activities are performed in an organization, not only to implement better security, but sometimes to improve productivity. It is not often that security and productivity are directly aligned, but when it happens, taking advantage of this will help to offset the many compliance-related complaints that you will otherwise be subjected to.

Automate, automate, automate. The more you can leverage tools to manage the workflow in your organization for sensitive or error-prone activities, the more you can reduce the security risks and get the processing to move along more smoothly. Many business processes are tied to archaic workflow, and are just plain cumbersome and insecure. Streamline these for the win.

Improving your workflow helps to reduce expenses. For instance, automating vulnerability scanning within the development process will save lots of time and money vs releasing buggy code into the wild and then trying to scan and remediate it.

5. Visibility

Even with a robust compliance program, you will never be given an unlimited budget that can be used to solve every operational security or privacy weakness. Therefore, you need to make sure you focus on obtaining as much visibility of the environment as possible.

Tools that help you see network flow, user access and behavior, and application flow, will be invaluable in allowing you to deal with ever-changing threats. If you have to make a choice between a tool that protects and a tool that reveals, understand that the visibility tool will be effective for much longer, and will help you adapt as threats change. You cannot manage what you cannot see, and so you must prioritize the deployment tools which grant/improve visibility to stay ahead of the risks and threats your organization faces.

In Summary

Take advantage of the compliance efforts that your company already has to endure to implement solutions (technologies and processes) that provide direct security benefits in a way that you can prove by matching against well-known controls. That’s what compliance is, and as long as you understand that dynamic, you can be much more successful than if you succumb to just doing the bare minimum in an uncoordinated and ad hoc fashion.

Got more thoughts about anything in this newsletter?

Email us at [email protected]!

Tell all your friends about WServerNews!

Please let all your friends and colleagues in the IT profession know about our newsletter. Tell them our latest issues can be found at wservernews.com while older issues dating back to 1997 can be found in our archive. And let them know also that they can receive WServerNews each week in their inbox by subscribing to it here. Thank you!

 

Tip of the Week

>> Got any IT pro tips you’d like to share with other readers of our newsletter? Email us at [email protected]

Ensuring static IP addresses remain static

A colleague clued me in on this story which he read on a list somewhere. A sysadmin upgraded all the Win10 PCs at the workplace he managed to the Win10 20H2 release and discovered that several that had previously been assigned static IP addresses had suddenly switched to using DHCP which cause connection problems for these machines. Apparently the issue occurred because 20H2 included new device drivers for the network adapters on the affected PCs. The procedure to prevent this kind of thing from happening in the future is (I’ve been told) to always create DHCP reservations for any hosts on your network that have static IP addresses assigned to them.

 

Admin Toolbox

>> Got any admin tools or software you’d like to recommend to our readers? Email us at [email protected]

Does your company need to meet compliance requirements? If so, you should consider having a look at email archiving to keep your emails available and retrievable in the long run. We recommend MailStore Server:

http://www.mailstore.com

AOMEI Backupper Standard is the top free backup & restore software within friendly GUI:

https://www.aomeitech.com/aomei-backupper.html

Dns Lock is a tiny free tool which prevents malware from modifying your IPv4 DNS server addresses:

http://www.downloadcrew.com/article/34620-dns_lock

WifiHistoryView is a portable tool which displays a history of your system’s connections to/ disconnections from wireless networks:

http://www.downloadcrew.com/article/33994-wifihistoryview

 

Factoid – Old computer manuals never disappear, they just turn yellow with age

Our previous factoid and question was this:

Fact: There are good arguments for cancelling your Netflix subscription

Question: During these difficult times of the pandemic, has Netflix been helpful stress release or has it become an unhealthy addiction for you?

We didn’t receive any responses this time, perhaps because our readers are so stressed out they’re watching Netflix when they should be reading our newsletter ๐Ÿ˜‰

Anyways, let’s move on to this week’s factoid:

Fact: Researchers have found the manual for the world’s oldest surviving computer

Source: https://www.engadget.com/oldest-computer-manual-zuse-z4-161214346.html

Question: What’s the oldest computer manual (hardware or software) that you still have kicking around your home or workplace?

Email your answers to [email protected]

 

Subscribe to WServerNews!

Subscribe today to our WServerNews newsletter and join 200,000 other IT professionals around the world who receive our newsletter each week! Just go to this page and select WServerNews to receive our monthly newsletter in your inbox!

 

Conference Calendar 2021

>> Got an IT conference or event happening that you’d like to promote in our newsletter? Email us at [email protected]

NOTE: Conference dates and locations (real/virtual) are subject to change

Microsoft Ignite — March TBD (virtual)

https://myignite.microsoft.com/home

Microsoft MVP Global Summit — March TBD (virtual)

https://mvp.microsoft.com/summit

Black Hat Asia — May 4-7 (location TBD)

https://www.blackhat.com/upcoming.html#asia

RSA Conference — May 17-20 in San Francisco

https://www.rsaconference.com/usa

Black Hat USA — Jul. 31-Aug. 3 in Las Vegas

https://www.blackhat.com/upcoming.html#usa

DEF CON 29 — Aug. 5-8 in Las Vegas

https://www.defcon.org/

VMworld — Aug 30-Sept 1 in San Francisco

https://www.vmworld.com/en/index.html

Black Hat Europe – Dec 7-10 (virtual)

https://www.blackhat.com/upcoming.html#europe

Cisco Live Melbourne — Dec 7-10 in Melbourne, Australia

https://www.ciscolive.com/apjc.html

 

Podcast Corner

Our Podcast Corner section will return next issue!

 

New on Techgenix.com

Adding a Windows file server to System Center Virtual Machine Manager

Here’s how to create an SMB file share on a Windows file server, and then bring that file share under management within VMM.

https://techgenix.com/adding-a-windows-file-server/

Azure DevOps service connections: How to set them up and use them

Want to make managing RBAC permissions at the subscription/management group level a breeze? Start using Azure DevOps service connections.

https://techgenix.com/azure-devops-service-connections/

Microsoft 365 administration: Get your SharePoint settings right

An important part of Microsoft 365 administration is configuring SharePoint. Getting these settings right will give you a solid foundation to build on

https://techgenix.com/microsoft-365-administration-sharepoint/

Azure security: Building a secure subscription with Azure DevOps

Creating a resource group with some essential components for your security team will be a big boost to your Azure environment. Here’s how to do it.

https://techgenix.com/azure-security-with-azure-devops/

Microsoft 365 sensitivity labels: Everything you need to know

Sensitivity labels are becoming a major part of the Microsoft 365 platform. This step-by-step guide shows you how to create them and use them.

https://techgenix.com/microsoft-365-sensitivity-labels/

 

Fun videos from Flixxy

Hilarious Holiday Feast – 13 Dogs And A Cat

13 dogs and a cat sit down at the dinner table for a most hilarious Holiday feast.

https://www.flixxy.com/hilarious-holiday-feast-13-dogs-and-a-cat.htm

Dogs Decorating A Christmas Tree

The coolest video of dogs decorating a Christmas tree.

https://www.flixxy.com/dogs-christmas-tree-decoration.htm

Snow Dogs

In the wintery woods, a descendant of wolves is really in its element, remembers its roots, and gives in to its most basic of instincts … to GO WILD!

https://www.flixxy.com/snow-dogs.htm

Why E-Mail Was Invented – Dogs vs. Mail Compilation

Dogs vs. mail – this is one of the reasons why email was invented.

https://www.flixxy.com/why-e-mail-was-invented-dogs-vs-mail-compilation.htm

 

More articles of interest

Just what can AI in IT operations accomplish?

How should the ‘AI’ in ‘AIOps’ work? The idea is for it to identify and solve problems in ways similar to how the human mind would — except faster and without prompting.

https://searchitoperations.techtarget.com/feature/Just-what-can-AI-in-IT-operations-accomplish?Offer=Content_Partner_OTHR-_2020September04_TG_A1

How to evaluate VDI storage requirements

There are a variety of factors that affect VDI storage, including system requirements and supported workloads. Evaluate these factors to ease the VDI planning process.

https://searchvirtualdesktop.techtarget.com/tip/How-to-evaluate-VDI-storage-requirements?Offer=Content_Partner_OTHR-_2020September04_TG_A2

Securing Active Directory also involves good backup practices

The ‘Active Directory Administration Cookbook’ covers what admins can do in advance to bring the identity and access management platform back online after an attack.

https://searchwindowsserver.techtarget.com/feature/Securing-Active-Directory-also-involves-good-backup-practices?Offer=Content_Partner_OTHR-_2020September04_TG_A3

ISO and FFIEC business continuity standards compared

Global standards aid the process of creating and updating a business continuity plan. The requirements of two popular standards can ensure that your BC team doesn’t miss any steps.

https://searchdisasterrecovery.techtarget.com/tip/ISO-and-FFIEC-business-continuity-standards-compared?Offer=Content_Partner_OTHR-_2020September04_TG_A4

 

Send us your feedback!

Got feedback about anything in this issue of WServerNews? Email us at [email protected]

Scroll to Top