Automox is a cross platform patch and configuration management solution. This thing is awesome. We patched an Ubuntu workstation and 3 Windows 10 systems. We even installed notepad++ on a couple of Windows 10 systems. All this was done from Automox.

The first three critical security controls might seem simple, but they’re not. For those that have a hand full of devices, they can be simple. For those that have more than a hand full, they can be difficult to implement.

As the title says, we’ve come up with a security program that works for everyone. For some, this is it. For others, this is a place to start.

We’re basing this on the first three CIS controls. We’re also using the new implementation groups in version 7.1. These implementation groups are awesome. Total game changer.

Time to take a look at our Virtualization options. It’s a choice between Proxmox or ESXi.We don’t need anything fancy. We’re simple people. We still need to test them to make sure they work. Before we can test anything, we need to clean up the network. This time we have a network design that works.

Time to clean up the network. Not as simple as I thought it would be. We talk about the issues I had and the changes I made. We can’t do any testing until the network is cleaned up.

We figured out two step verification. Well, sort of. At least we know the difference between two factor authentication and two step verification. Sometimes all it takes is a quick review of the options.

CORRECTION

In this episode I said Paul Asadoorian works for Black Hills Infosec. Apparently he doesn’t. He’s got his own thing going on.

We’re working on a better process for securely accessing our Gmail or Google account. We’ve got 2-step verification with our phone. That works great, but now we have a new problem. What happens when we lose our phone? How do we access our Gmail?

We just learned that we’re paying too much for our DigitalOcean servers. Unfortunately there’s no simple fix. These are authoritative DNS servers for section9.us. We can’t just delete them and create new, cheaper versions. Changes to complex, interconnected systems require a bit of planning.

Time to start our own business, or at least give it a try. Dorothy & I talk about building services and solutions around the first three critical security controls. This includes possible solutions for hardware inventory, software inventory, vulnerability management and patch management.

We take a look at the risk assessment process. What is a risk assessment? How Does it reduce risk? We’re using a NIST risk assessment process. It can be long and complicated. We also do a quick risk assessment on two factor authentication. Once you understand risk assessments, they don’t have to be long and complicated.

Now that we know what some of our risks are, we can begin plugging the holes.