This document is focused on securing workstation computers that are used to access or manage Big Picture software applications. This can be a desktop, laptop, tablet, or smartphone.
This does not deal with the hosting environment (servers and network) or application security.
A risk-and-controls paradigm is used, which parallels SAS 70 document formats.
Security comes in varying degrees, and it should be best-suited for the situation.
Employ best practices for network protection (firewall), and computer protection (browser link checker, anti-virus).
Use strong passwords. Change them more frequently than...never.
We’ll frequently use the analogy of securing a physical building. This scenario is familiar to people due to experience and popular culture.
A building can be made more secure by keeping bad people from doing bad things. This involves keeping bad people out, as well as limiting what bad people can do if they do enter the building.
Similarly, computer security involves keeping bad people and software agents out, as well as mitigating the damage they can do if they do enter your network or computer.
One challenge is balancing the need for greater security, limited budgets, and the need to let the allowed people to use resources without undue difficulty.
Security is not a binary proposition: it’s not just on, or off, good, or bad. It must be regarded on a continuum and the context of the situation.
For instance, if your family locks their doors at night and employs a security alarm, how would you answer the question, “Is your home secure?” You might say, “yes,” but how would you answer after it gets burgled while the alarm is off during a Saturday afternoon, while people are in the home? Or after a malfant kicks in the front door at night, setting off the alarm, but easily gaining entry to the home? Or if a mid-level burglar is able to disable the alarm?
Clearly in those circumstances, the home was not secure enough. This leads us to an important perspective: having enough security.
The risks and ramifications of security breaches must be weighed against the expense and effort of additional security. For instance, in a relatively safe neighborhood, for a $200,000 house without any obvious social or financial targets, it may be reasonable to spend a few thousand dollars on security, but not $100,000. Whereas a $5M home may deserve more expensive security. A home in a dangerous neighborhood might employ bars on windows and stronger doors: although the home is a $200k one, the environmental risk is much greater. And a bank will employ much greater security: the greater budget, the fact that it’s a common target for attacks, and the ramifications warrant a larger budget and more onerous practices.
The workstation network is the computer network that is local to that computer. This includes:
The network is the fabric that separates the computer workstation from the public and unsecure internet.
Different types of software communicate over the internet on different ports, which are usually reserved for that type of activity, or protocol. For instance, File Transfer Protocol uses port 21, and most public websites use port 80.
Leaving ports open for protocols that you are not using is dangerous. Analogously, leaving doors to your building needlessly unlocked presents a risk.
Use a hardware or software-based firewall to lock down ports that you don’t need open. For instance, Windows now comes with a software firewall. When the computer is in the office or home environment, it might be more permissive with more local networking ports left open, so that local computers can share with each other. In a public environment, such as a coffee shop, the computer is on a public network, where greater security is employed.
Denial of Service attacks, etc.
A software firewall protects an individual computer. A hardware firewall can protect all the computers inside the network, and may exist as a separate device from the other networking gear, or it may be part of the network switch or WiFi router.
The ubiquity of WiFi networks presents a greater risk. The benefit of WiFi, easy network connections, is also the risk. People may connect via a public network, such as a coffee house or an airport. One’s home WiFi network is broadcast to the streets and nearby homes.
Many people do not employ best practices for WiFi security: their network is visible and accessible to anyone without a password.
Aside from network security, the workstation itself can present many vulnerabilities to hackers.
When your computer gets infected with a virus or trojan software, that malicious software can have the same permissions and powers as you, the user. After an infection, the following bad things can occur:
Any malicious program you put on your machine gives it full rights to do whatever it wants. Malicious software can be part of another program, like a music file sharing program.
Only download from safe, trusted sources. Check for other sources for a file, and make sure the filesize and date stamp match up.
Software, network, and anti-virus software is moot, if the “keys to the kingdom” are handed to a hacker with a bad password.
Example of bad passwords: You are the director of the South Dakota Association of Basket Weavers, and your website is SDABW.org, and your name is Mark Greenwood:
We have another document on password best practices we’ll link to here.
Log out when not in use. Don’t store password in browser.
The software on your computers can be a point of entry to malicious activity. The very features that make software apps function and provide easy accessibility to users, can also be co-opted to work against users.
Every day, new vulnerabilities are discovered by software vendors and security firms. It’s a constant battle between them and hackers. Your anti-virus, operating system, productivity apps, games, and other software can have holes in security.
Keep software updated. Automatic updates can patch holes as they’re discovered, unattended.
Related to Download best practices, viruses can also be added to your computer via email attachments, thumb drives, etc.
Install anti-virus software to monitor new files that you add to your file system.
Your internal staff and family members can perform malicious activity. Staff can try to access areas they shouldn’t. Family members, such as children, can try to dig into protected files or websites.
Don’t save login info, logout when not in use.