David Hoffman

Workstation Security

About This Document

This document is focused on securing workstation computers that are used to access or manage Big Picture software applications. This can be a desktop, laptop, tablet, or smartphone.
This does not deal with the hosting environment (servers and network) or application security.
A risk-and-controls paradigm is used, which parallels SAS 70 document formats.

Executive Summary

Security comes in varying degrees, and it should be best-suited for the situation.
Employ best practices for network protection (firewall), and computer protection (browser link checker, anti-virus).
Use strong passwords. Change them more frequently than...never.


We’ll frequently use the analogy of securing a physical building. This scenario is familiar to people due to experience and popular culture.

It's Like Securing a Building

A building can be made more secure by keeping bad people from doing bad things. This involves keeping bad people out, as well as limiting what bad people can do if they do enter the building.
Similarly, computer security involves keeping bad people and software agents out, as well as mitigating the damage they can do if they do enter your network or computer.
One challenge is balancing the need for greater security, limited budgets, and the need to let the allowed people to use resources without undue difficulty.

Shades of security

Security is not a binary proposition: it’s not just on, or off, good, or bad. It must be regarded on a continuum and the context of the situation.
For instance, if your family locks their doors at night and employs a security alarm, how would you answer the question, “Is your home secure?” You might say, “yes,” but how would you answer after it gets burgled while the alarm is off during a Saturday afternoon, while people are in the home? Or after a malfant kicks in the front door at night, setting off the alarm, but easily gaining entry to the home? Or if a mid-level burglar is able to disable the alarm?
Clearly in those circumstances, the home was not secure enough. This leads us to an important perspective: having enough security.  

Enough Security

The risks and ramifications of security breaches must be weighed against the expense and effort of additional security. For instance, in a relatively safe neighborhood, for a $200,000 house without any obvious social or financial targets, it may be reasonable to spend a few thousand dollars on security, but not $100,000. Whereas a $5M home may deserve more expensive security. A home in a dangerous neighborhood might employ bars on windows and stronger doors: although the home is a $200k one, the environmental risk is much greater. And a bank will employ much greater security: the greater budget, the fact that it’s a common target for attacks, and the ramifications warrant a larger budget and more onerous practices.

Network Intrusion

The workstation network is the computer network that is local to that computer. This includes:

  • office networks
  • home networks
  • public networks

The network is the fabric that separates the computer workstation from the public and unsecure internet.

Risk: Open ports

Different types of software communicate over the internet on different ports, which are usually reserved for that type of activity, or protocol. For instance, File Transfer Protocol uses port 21, and most public websites use port 80.
Leaving ports open for protocols that you are not using is dangerous. Analogously, leaving doors to your building needlessly unlocked presents a risk.

Control: Firewalls

Use a hardware or software-based firewall to lock down ports that you don’t need open. For instance, Windows now comes with a software firewall. When the computer is in the office or home environment, it might be more permissive with more local networking ports left open, so that local computers can share with each other. In a public environment, such as a coffee shop, the computer is on a public network, where greater security is employed.

Risk: Other Network Vulnerabilities

Denial of Service attacks, etc.

Control: Firewalls

A software firewall protects an individual computer. A hardware firewall can protect all the computers inside the network, and may exist as a separate device from the other networking gear, or it may be part of the network switch or WiFi router.

Risk: WiFi

The ubiquity of WiFi networks presents a greater risk. The benefit of WiFi, easy network connections, is also the risk. People may connect via a public network, such as a coffee house or an airport. One’s home WiFi network is broadcast to the streets and nearby homes.
Many people do not employ best practices for WiFi security: their network is visible and accessible to anyone without a password.

Controls: WiFi Security  

  • Always use encryption and require passwords on your WiFi network.
  • Use caution in public networks, ideally not accessing anything that requires a password (Facebook, email, web applications, etc.)

Computer Security

Aside from network security, the workstation itself can present many vulnerabilities to hackers.
When your computer gets infected with a virus or trojan software, that malicious software can have the same permissions and powers as you, the user. After an infection, the following bad things can occur:

  • A key-logger might get installed, that records all your users’ keystrokes. This will capture passwords, which will be relayed to malicious humans to make use of. This will also capture other secure data, such as SSN, credit card numbers, and other sensitive text.
  • Trojan that degrades performance
  • Computer gets enrolled in a bot-net.

Risk: Downloading malicious software

Any malicious program you put on your machine gives it full rights to do whatever it wants. Malicious software can be part of another program, like a music file sharing program.

Control: Downloads Best Practices

Only download from safe, trusted sources. Check for other sources for a file, and make sure the filesize and date stamp match up.

Control: Anti-virus and other protection

Risk: Passwords

Software, network, and anti-virus software is moot, if the “keys to the kingdom” are handed to a hacker with a bad password.
Example of bad passwords: You are the director of the South Dakota Association of Basket Weavers, and your website is, and your name is Mark Greenwood:

  • south dakota, sdabw, password, mark, greenwood, mgreenwood, markSDABW, dakotamark, sdabwmark, january, lions, cat, chevy, blue, red, basket, association, weaver...

Control: Password Best Practices

We have another document on password best practices we’ll link to here.

Control: Use session Best Practices

Log out when not in use. Don’t store password in browser.

Risk: Software Updates

The software on your computers can be a point of entry to malicious activity. The very features that make software apps function and provide easy accessibility to users, can also be co-opted to work against users.
Every day, new vulnerabilities are discovered by software vendors and security firms. It’s a constant battle between them and hackers. Your anti-virus, operating system, productivity apps, games, and other software can have holes in security.

Control: Software Updates Best Practices

Keep software updated. Automatic updates can patch holes as they’re discovered, unattended.

Risk: Viruses

Related to Download best practices, viruses can also be added to your computer via email attachments, thumb drives, etc.

Control: Anti-Virus Software

Install anti-virus software to monitor new files that you add to your file system.

Control: Be wary of accepting files from untrusted sources.

Internal Malicious Activity

Your internal staff and family members can perform malicious activity. Staff can try to access areas they shouldn’t. Family members, such as children, can try to dig into protected files or websites.

Risk: Hacked Passwords

Control: Password Best Practices

Risk: Retained logins

Control: Use Session Best Practices

Don’t save login info, logout when not in use.