Is XYZ considered secure?

1337

Spinoff from the iPad 2 thread.

Looking at HIPAA, SOX, PCI DSS etc. Assuming a device is considered unsecure when it is not getting security updates makes sense.

But, how do we now when the manufacturer don't expect to supply security updates? Unless they explicitly say it's not supported?

Also looking at an OS like Windows 7, you can still get Windows 7 Extended Security Updates. That means three years of additional updates, so 2020, 2021 and 2022. So if you have bought ESU I assume Windows 7 is still secure?

Also does that rule apply to all kinds of devices involved?

How about devices that are primarily considered hardware:

• switches (firmware updates)
• server (BIOS, IPMI updates)
• CPU (microcode updates)
• NICs (firmware)
• RAID controllers (firmware)
• disk drives (firmware)
• etc.

Does the same rules apply?

JaredBusch

@pete-s said in Is it XYZ considered secure?:

So if you have bought ESU I assume Windows 7 is still secure?

If the only criteria for "Secure" is that it is receiving updates? Then yes. I know that is one of the criteria for some of those compliance acronyms.

JaredBusch

@pete-s said in Is it XYZ considered secure?:

Also does that rule apply to all kinds of devices involved?

It applies to the user's operating system.

JaredBusch

@pete-s said in Is it XYZ considered secure?:

How about devices that are primarily considered hardware:

Not under the criteria about the OS, no. Under other criteria in the compliance? Maybe.

1337

@jaredbusch said in Is XYZ considered secure?:

@pete-s said in Is XYZ considered secure?:

How about devices that are primarily considered hardware:

Not under the criteria about the OS, no. Under other criteria in the compliance? Maybe.

Yes, I was thinking in terms of security compliance. Under whatever acronym applicable.

Don't know enough about it so my questions are perhaps not framed properly.

JaredBusch

@pete-s said in Is XYZ considered secure?:

@jaredbusch said in Is XYZ considered secure?:

@pete-s said in Is XYZ considered secure?:

How about devices that are primarily considered hardware:

Not under the criteria about the OS, no. Under other criteria in the compliance? Maybe.

Yes, I was thinking in terms of security compliance. Under whatever acronym applicable.

Don't know enough about it so my questions are perhaps not framed properly.

Right, it simply depends on what each compliance requires.

scottalanmiller

@jaredbusch said in Is XYZ considered secure?:

@pete-s said in Is it XYZ considered secure?:

So if you have bought ESU I assume Windows 7 is still secure?

If the only criteria for "Secure" is that it is receiving updates? Then yes. I know that is one of the criteria for some of those compliance acronyms.

Right. This never applies to security, but if we are only talking compliance, then sure.

This isn't a secure question. It's a compliance one. The frameworks you mention are not security frameworks, just compliance. They have meaningless checkboxes like this.

Windows 7 is still getting security updates under some circumstances. That doesn't make it as secure as some things that are not getting updates. The "must update" is a meaningless, but relatively easy to verify, false proxy for what they are marketing the compliance to be for.

1337

@scottalanmiller said in Is XYZ considered secure?:

@jaredbusch said in Is XYZ considered secure?:

@pete-s said in Is it XYZ considered secure?:

So if you have bought ESU I assume Windows 7 is still secure?

If the only criteria for "Secure" is that it is receiving updates? Then yes. I know that is one of the criteria for some of those compliance acronyms.

Right. This never applies to security, but if we are only talking compliance, then sure.

This isn't a secure question. It's a compliance one. The frameworks you mention are not security frameworks, just compliance. They have meaningless checkboxes like this.

Windows 7 is still getting security updates under some circumstances. That doesn't make it as secure as some things that are not getting updates. The "must update" is a meaningless, but relatively easy to verify, false proxy for what they are marketing the compliance to be for.

But if compliance is required, don't you have to abide and make decision based on both real security as well as compliance?

Found this:

Dashrender

@pete-s said in Is XYZ considered secure?:

But if compliance is required, don't you have to abide and make decision based on both real security as well as compliance?

Nothing makes you abide by good security other than the risk of being sued over it. So no, you don't have to abide by both. Is it best to, sure of course, if you value you company.