I’m researching security standards, frameworks, models, and benchmarks(confused?). Let me be honest I’m not a guru to these security standards, but I’m curious, and this is where it all begins! So please feel free to correct me in the comment section below if I’m going off track.
I have worked with Device Management and a UEM Microsoft Endpoint Manager Intune. To keep this simple and for a future YouTube video, I want to focus on Windows 10 and security frameworks with NIST, CIS, and Zero-Trust by Microsoft and see where it overlaps or where I give up?
Note; I agree that only focusing on Windows 10 security with frameworks is a little small-minded but remember this is to give me a better understanding.
What is a Security framework?
Without me trying to come up with some self translated understanding for a Security framework, I’m just going to google it and found the following from “techslang.”
A security framework is a compilation of state-mandated and international cybersecurity policies and processes to protect critical infrastructure. It includes precise instructions for companies to handle the personal information stored in systems to ensure their decreased vulnerability to security-related risks. Since a security framework has proven useful to entire industries, many, if not all, organizations strive to adhere to their mandates when crafting security guidelines for their networks.
- National Institute of Standards and Technology calls it “NIST Cybersecurity Framework 800-53 rev. 5” (no particular product in mind)
- Center for Internet Security calls it “CIS Security Controls v8” (no specific product in mind)
- Microsoft calls it a “Zero-Trust Strategy” (Primary Microsoft tech)
Let us dig into all 3 (will be three different articles, this is the first)
National Institute of Standards and Technology (NIST)
The National Institute of Standards and Technology (NIST) is a physical sciences laboratory and non-regulatory agency of the United States Department of Commerce. Its mission is to promote American innovation and industrial competitiveness.
The standard is mandatory for federal information systems, organizations, and agencies. Any organization that works with the federal government must comply with NIST 800-53 to maintain the relationship.
NIST is a lot more than a cybersecurity framework. They have investigated the world trade center collapse. I can strongly recommend you read their Wikipedia. I understand that this framework is left to you and me to fit their wording into something we see fit. I also see many articles mapping CIS standards to NIST, which makes sense since CIS is more prescriptive.
NIST Cyber Security Framework was built as follows:
- Core functions (analogous to CIS Control levels)
- Implementation tiers (analogous to CIS implementation groups)
- Institutional profiles, for customizing a company’s implementation plan
After some research, I found out that NIST has made a “less” detailed document which should be easier to implement called “SP 800-171 Rev. 2” – SP standards for Special Publication. I also see that FIPS(Federal Information Processing Standards) is being mentioned, which NIST also develops 🤯(my brain hurts now)
Okay, okay, back to the “SP 800-171 Rev.2”
Any Windows 10 security recommendations?
The short answer is no. By now, you should understand that the NIST CSF will not give us any specific recommendations but only tell us to encrypt our data or enable protection for our devices. I tried to search for windows and was mentioned 0 times but workstations(11) and notebook(10).
If we open the special publication, we can see that under “3.4.1,” it says:
If you see under “DISCUSSION,” this also validates that NIST CSF is for us to translate into something more prescriptive. But tells us that we need a Baseline configuration of “workstations, notebook computers” (closes we will get to Windows 10).
We need a baseline configuration for Windows 10 and future builds. A baseline should be documented, formally reviewed, and agreed upon. It should include system components like
- Software packages installed, current version number, update, patch information on OS and Applications, (Intune, WUfB(Update compliance), Microsoft Defender for Endpoint)
- Configurations settings and parameters (can be done with Intune)
- Logical placement of components (which is inside Intune)
So nothing will tell us what to configure within Intune for Windows 10 Security, but it gave me a good understanding that we need a baseline configuration for Windows 10+.
The following article will dig into “Center for Internet Security (CIS) Controls.”