A Whitepaper- Best Practices For Desktop Security
By Michael Johnson CMC '03
The desktop needs security because of its new position in accessing corporate information, both on a wired network, and remotely over VPNs and similar connections. As remote connectivity progresses, more confidential information will be transmitted between desktops and servers, requiring both sides to be immune to intrusion attempts.
Hackers are already trying to break into the corporate and home desktop with the intent to cause harm or collect information, targeting these systems because to their historically low levels of protection. Using information stored on the desktop, or even the desktop system itself, hackers can then attack larger, more secure systems.
Break-ins can occur at any weak point of a computer system. The methods used by hackers vary widely, but there are several ways of compromising security that are very common. These ways are Viruses, Trojans, and ‘Active’ Hacking.
Viruses are most commonly used for the purposes of damage, both direct and indirect, and for the thrill of compromising systems. They typically do not send information back to the hacker, but rather comprise as many machines as possible before delivering a pre-programmed payload. Viruses can be used for possible attacks, like DDOS, but the fact that the speed of infection varies makes them unlikely vehicles for this technique. Currently, the most widespread method of infection is through email.
Trojans are better suited for arranging attacks and information gathering. Worms are also used for the purposes of direct and indirect attacks, but their method of infection is different than a Trojan. Trojans are either directly planted by their creator, or run by a user who does not know the program they are using contains a Trojan. Worms spread by exploiting a vulnerability or multiple vulnerabilities in the desktop or computer system they were targeted for. Worms do not need to be executed to infect a machine and propagate. A Trojan needs to be executed before it can infect a system. Because of their high infection rate, worms are particularly useful for a hacker to launch massive attacks on a target.
There is also a separate class of methods used to compromise the security of a system, and that is what could be called ‘Active’ Hacking. Active Hacking is active in that the attack is initiated and carried out by a single individual actively cracking a system, rather than the distributed, automated attack of a virus. Active Hacking includes the interactive exploitation of vulnerabilities, and the use of the human factor.
Before a hacker can begin to exploit vulnerability, the hacker must know that the system he is targeting possesses one. The hacker checks for the presence of vulnerabilities (and systems) with the use of a port scanner. Port scanners are excellent tools for finding holes in a secure configuration, and can be used both to fix the security of a system and to find computers to attack. Port scanning alone does not constitute what this whitepaper classifies as hacking, but it does provide a hacker information on what services (WWW, FTP, POP, etc.) are running. These services can have vulnerabilities, which the hacker can then begin to exploit. Many of these vulnerabilities are known, and patches are usually provided that fix these flaws, once the flaws are known by the software maker.
The other way a hacker actively attacks a system is by using the human factor of computing. In any network, there is always someone who can reassign passwords. A hacker will try to exploit the trust of someone who holds the ability to change passwords, or to acquire the password of a user who has been granted trusted access. This method of hacking is the most used, and also the most difficult to detect. Since logons and attempted access are validated, no regular security audits can uncover the access of the hackers.
Solutions to combat security breaches
To combat the threat of a virus on the desktop, a system administrator can install a program that will scan for a virus infecting a program every time an executable file is run. These programs are known as antivirus scanners.
What it does
Antivirus scanners are excellent at performing their primary task of keeping viruses from infecting a system be scanning for infection attempts, and fixing files that have been infected. Antivirus scanners can search both for known viruses, variations of the known viruses, and possible viruses that have not been discovered yet. Because of this last ability there is always a chance for a false positive, but these are very rare.
What it does not do
Antivirus programs will not protect a system against hacking attempts or vulnerabilities in the operating system or programs. They cannot protect against a hacker accessing the desktop system using authentic passwords and identification. While these are serious deficiencies, the growing threat and spread of viruses makes the anti-virus an important part of a total security plan.
Firewalls combat the threat of hackers attacking the desktop trying to find and exploit vulnerabilities of the software installed on the system. Firewalls can be either hardware-based or software-based. With either of these types, their basic mode of operation is similar.
What it does
The main task of a firewall is to accept or deny access to a computer’s ports. A firewall accomplishes this through manual configuration or automatic determination. Manual configuration allows a system administrator to determine which ports will be blocked or left open. A firewall with automatic settings will determine which ports will be blocked and opened. This type of firewall can also respond to attacks by blocking the attacker or the port they are using to break in. The best firewalls offer both options.
What it does not do
A firewall will not protect against a virus. Firewalls are only concerned with internet activity, and will not check the desktop for activity that does not concern network operations. This is also a very major deficiency, but an antivirus scanner and a firewall will provide good protection.
Keeping desktop systems that run the Windows NT or Windows 2000 operating system is a much easier task, but many of the default settings are not secure, and several steps can be taken to further secure the desktop when using one of these Operating Systems.
This is a Claremont McKenna College computer system. This computer system, including all related equipment, networks and network devices (specifically including Internet access), are provided only for authorized use. CMC computer systems may be monitored for all lawful purposes, including to ensure that their use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures, survivability and operational security. Monitoring includes active attacks by authorized CMC entities to test or verify the security of this system. During monitoring, information may be examined, recorded, copied and used for authorized purposes. All information, including personal information, placed on or sent over this system may be monitored. Use of this CMC computer system, authorized or unauthorized, constitutes consent to monitoring of this system. Unauthorized use may subject you to criminal prosecution. Evidence of unauthorized use collected during monitoring may be used for administrative, criminal or adverse action. Use of this system constitutes consent to monitoring for these purposes.
To protect the Windows Registry and the SAM database, remote access should be disabled. This will keep hackers from accessing the registry of a remote machine running Windows NT.
To reduce the chance of security being compromised, end users need to be trained in basic security procedures, and need to implement them in their computing experience. Users should be able to understand security when working with email attachments, verify the identity of a caller or individual before changing passwords, never give a password out, and operate a simple firewall.
All users who connect to a private network from their home machines, and those who work on job-related tasks from a home computer needs to have an up-to-date antivirus scanner and an effective firewall on their home computer to protect the private network from breaches in security, and from viruses. Users who do not have such measures in place should not be allowed to access the private network or work on job-related material at their house. Users should also know how to administer their antivirus and firewall.
The cost of securing the desktop in a business environment is considerably less than repairing damage after a break-in has occurred. The cost of repairing one workstation for an employee of the rank of Administrative Assistant is $109.23. This figure accounts for a three hour downtime for the employee, three hour repair time for the technician, and hourly salaries of $14.50 for the employee and $21.91 for the technician.
Costs multiply further if multiple machines in the network become compromised. With no security on any machine in a 2000 user network, an infection or security compromise could extend to every machine on the network. With a downtime of only three hours for every infected workstation, at a repair cost of $109.23 per machine, the total cost of repairing the machines of 2000 users is $218,460. This is $154, 920 over the cost of an antivirus solution for 2000 users, and a $10,000 hardware firewall.
Center Court, Module A
500 E. Ninth Street
Claremont, CA 91711
Roberts South, Lower Level
325 E. Eighth Street
Claremont, CA 91711