ITS 3250 - Securing Systems

Week 9: Input from Other Instructors
Matt Hansel

This lesson explores input to the course from another Baker instructor.

Concepts:

I asked Matt Hansel for some input for this course. I sent him a copy of our topic list, and these are some of his thoughts:

  • In regards to the multiple OS and securing systems, something that should be explored are Windows Embedded systems. In particular, those Windows Embedded systems that are still running XP, but that connect to a server for their files. The scenario would be CNC machines that are EXPENSIVE to replace, but need access to the server for their machining files. They need to also be able to share files with other CNC machines that are running Windows 7 Embedded or Windows 7/8/8.1./10.

    Matt has some good points here, and we can research the concepts.

  • Another avenue could be to research and get to know antivirus products that are managed through the cloud. Several of my customers use Symantec Endpoint Protection Cloud and others are using TrendMicro WorryFree Services - both of which are cloud based and managed. Symantec offers a GPO based installation routine. But what about those systems that are out in the field that need to have the system installed? For example, let’s say a new field person gets a laptop delivered to them but the antivirus solution is NOT installed (it happens). How would you push the new software out? Do you use the email the link feature? What about managing licenses - as computers are added and removed? My customers typically order the minimum licenses, but then want to add 5 machines for a new job? How do you manage making sure the customer has the proper amount of licenses for their devices, with room to grow, but also have the ability to reduce it based on short jobs, etc.?

    Matt brings up many logistical concerns, making it necessary to explore options that are affordable as well as effective.

  • Encryption is another important topic - particularly in the health services. My customers use AppRiver CypherPost (secure email) for sending secure attachments. Are their other options? What about encrypting data on a server? Is it necessary? Does it cause issues with usability by other people on the network? Should you only encrypt mobile devices?

    We explored a couple of things the State of Michigan is doing with encryption. Class members and Matt have proposed other solutions. We can revisit these ideas to consider his questions.

  • Remote access is typically a no-no for being PCI compliant (in regards to credit cards). My customers that accept credit cards have to run PCI audits and they get flagged any time remote access is identified on the server or the computer hosting the gateway to the clearinghouse. How do you provide remote access to the client without compromising security?

    I will observe that this sort of connection is SOP for some businesses. Earlier this fall, I was at a Renaissance fair and happened to buy a few things from vendors. One vendor has a regular location in Louisiana, but seems to do much of their business across the Internet from Renaissance fairs throughout the summer and fall months. As such, they are regularly mobile, connecting to their "home" system remotely for every transaction.

Current Events:

What have you seen in trusted channels lately? Anything else on Equifax? Any more information on KRACK? PC World, Forbes, Wired, Ars Technica, and our friend Brian Krebs have written about it.


Assignments

This week, we can discuss some of Matt Hansel's points in class and pick a couple to address.