I’ve received a few questions lately about what you should do if we don’t have EUD guidance available for the latest version of the platform you are deploying in your organisation. This post discusses why this might happen, and what you can do about it.
Getting faster at publishing
At the NCSC, we’ve been developing the EUD guidance portfolio for over 5 years now, and we think we’ve been doing pretty well recently at getting through our testing quickly in order to produce guidance for the latest versions of platforms soon after they’re released. Of course, we’re far from perfect and we’ve been working to improve too. One thing we’ve started doing is to look at pre-release versions of platforms to get a head start on the testing, and because most platforms’ security features have stabilised of late there are fewer changes needed between guidance versions so we can get them out faster.
However, there’s always going to be a short period of time between a new product version coming out and guidance being available for that version, and some of our you will want to deploy that version in the interim. In some cases, where the platform updates several times a year (Chrome OS, for example), we may not even publish guidance for that update. As a result, we often get asked what best practice is in these situations, and so I thought I’d take this opportunity to go over some guiding principles to follow in this case:
- Don’t hold back on deploying the latest version of a platform because guidance isn’t available. There has never been a case where we have added more risks to a newer version of a platform’s guidance document, and often we reduce or remove risks as the security features mature. You’re almost guaranteed to have the lowest-risk deployment by using the latest version. In addition, whilst many platform vendors support several versions of their platforms at once (so you’ll receive security fixes for them), you won’t necessarily receive the latest security features, which offer defence in depth against the latest threats.
- Check the EUD guidance for any incompatibilities there might be between the latest version of products and the previous version of guidance. Whilst we’ve never had to do this before, if we become aware of any issues from our preliminary testing that might cause issues with the current guidance, we’ll amend the previous version of the guidance, adding a line to the top of it that advises of the incompatibilities.
- Deploy the latest version of the platform using the latest available version of the guidance, then – when the guidance becomes available – check the release notes in our blogs for the latest changes to be aware of. For the last few releases we’ve been using blogs to highlight key changes to be aware of so that you can quickly assess any changes you want to make going forwards, and we’ll continue to do this. We’ve never made sweeping architectural changes between different versions of our guidance – it’s generally tweaks to a few group policies or MDM settings – so updating your configuration would normally be a simple tweak to some settings rather than extensive changes, and this approach saves you rolling out a whole new platform version shortly afterwards.
- Do ask us if you are concerned about any ‘gotchas’ or issues you may have heard of from other sources, or you’re deploying straight away after a platform release date (and so we might not have had time to publish any incompatibility details). The best way of getting in touch is via the Contact Us page, and we’ll respond as quickly as we can.
Hopefully this should give you some confidence to deploy the most up-to-date version of your chosen platform(s). Of course, we’ll continue to try and speed up the guidance publication process too, but in the interim the steps above should help you out. As always, drop any comments or questions below.
Andy P
EUD Security Research Lead
Source: National Cyber Security Centre