How to keep your PC or Mac secure
Did you know that even if your PC for Mac has up-to-date patches, the latest anti-virus and runs a local firewall, it can still be infected?
When computers are used for personal rather than professional use, the chance of infections and other security incidents increases - movies, games, music and other personal applications all have associated risks.
If you manage your own computer or have installed your own applications, you are responsible for keeping the software secure:
- Ensure that the system and applications are securely configured;
- Ensure you have sufficient knowledge of the software you are installing or configuring;
- Ensure the software is permitted by CERN's restrictions on software for personal and professional use;
- Ensure that security patches are regularly applied - this may require upgrading to later versions;
- Run an up-to-date anti-virus software;
- Tighten your local firewall;
- Don't download, install or run software from non-trusted sources, e.g. via the Internet or physical media such as DVDs or USB sticks;
- Hit "ALT-F4" (instead of "Cancel", "OK" or "No") to close unexpected dialogue boxes;
- Limit the usage of administrator privileges and the number of users authorised to access the system to a minimum;
- Lock Your Screen.
Here's some advice to help keep your PC secure. Although useful for all platforms, this advice is particularly targeted to Windows users.
A lot of security problems are caused by software which do not have the latest updates installed. Most software can install updates automatically. Ensure that the software installed has this feature enabled.
- For Windows PCs, ensure that "Windows Update" is enabled and runs on a regular basis;
- For Linux PCs, make sure that yum autoupdate (Redhat/SLC) or apt-get autoupdate (Debian/Ubuntu) is enabled and runs on a regular basis;
- For Apple Macs, use the software update mechanism which is accessible under the Apple menu.
If you prefer passing this responsibility: Use CERN's recommended and centrally managed systems for Windows PCs/laptops or CERN Scientific Linux (SLC) PCs. For the private usage/usage at home, the Windows operating system can be obtained here at decent costs.
Many new new viruses appear each day. CERN's centrally managed NICE PCs are equipped with anti-virus software and are automatically updated to limit damage from known viruses. If a virus is discovered, the anti-virus software will notify you, and prevent it from running (by placing it in quarantine). You should continue to work normally, as the anti-virus service will be automatically informed and will contact you if any further action is required. Occasionally, the anti-virus software cannot completely prevent damage, so if you do experience problems contact email@example.com (tel: 78888), with the name of your PC, details of the error message and problem, and request a virus check.
Anyone managing their own Windows PC or Apple Mac is responsible for obtaining, installing and keeping their anti-virus software up-to-date. This applies to all PCs on the CERN network, including those of visitors. A free version for installation at CERN and home is available here for Windows and Apple Mac. Regularly updated anti-virus software is particularly important for portable PCs which are used at other locations and connect to other Internet Service Providers since they bypass CERN's security protections. This not only increases their own chance of infection, but places the whole CERN site at risk, since once infected, they can spread an infection from inside our firewall.
Please find further details in an article on "MS Forefront Client Security application starts to protect NICE PCs against virus attacks" in the CERN Computing Newsletter CNL 44/2 (2009/6/29) and on the anti-virus Web site.
An additional simple way to protect your computer from intrusion is to use a local firewall blocking all unnecessary, unsolicited or unwanted connections which could potentially be used to damage your computer or to steal your personal data. Such a firewall comes for free with Windows and with any Linux distribution.
The Windows firewall is already turned on by default. However, you can check this from the Start-Button (go to "Control Panel", then "Security Center" and finally "Firewall"). In the ideal case, this should look like this:
With the default setting, Windows firewall will block most programs to prevent unsolicited requests and a window like the right-one above will be displayed. If you decide to unblock it, this program will be added to the exceptions (listed under the "Exceptions" tab on the left picture).
For Scientific Linux CERN (or Fedora Linux/CentOS/RHEL and similar linux versions), please use the graphical user interface and select the "Firewall" configuration from "Administration" submenu of the "System" menu (see left image below), or type sytem-config-firewall from the terminal. You will be asked for system administrator credentials in order to be able to use this application. Following configuration interface will be shown:
By default your system firewall is preconfigured to allow ssh incoming connections and AFS distributed file system access (see under "Other Ports").
If you are expert enough and prefer using the command line, note that the firewall setup is stored in /etc/sysconfig/iptables file. Details on how the iptables are configured can be found in the Red Hat Enterprise Linux Security Guide.
(Non trusted sources in this respect include the Internet, USB sticks, CDs, DVDs, etc.)
A growing number of computer security incidents detected at CERN are due to software downloaded, installed, or run from untrustworthy sources. Viruses are often hidden inside files. When you copy and run a file containing a virus, you can infect not only your own PC, but can start to spread a virus inside CERN's firewall. "Free software" does not necessarily mean "Friendly software": Some of the popular "free" software available on the Web can introduce security problems, either at the time the software is installed (e.g. by adding spyware/adware) or later through lack of updates to close security holes. In particular, there is some "free" anti-virus software advertised on the Internet, which an contain malicious software. This form of "social engineering" hides malicious software inside a security package to make you think that you can trust it. "Free" versions of copyrighted software often contain Trojan horses, spyware or other malicious software - a problem besides the violation of copyrights. Furthermore, installing browser plug-ins could also download any malicious software that the plug-in might contain. If a Web site requires a plug-in to view it, it is best to avoid using it.
In addition to security problems, software installed for personal use often creates support problems. The additional software can make problem analysis more difficult and time consuming and even if the initial installation appears not to impact the correct running of the system, it can cause problems for changes to the system at a later time. Removing additional software may require a complete re-installation of the system from scratch to recover from all changes which were made to the system. Re-installations have been required following the installation of some "free downloads".
Therefore, only copy files from trusted sources, such as commercial companies with whom CERN has a software agreement. Software which is not required for a user's professional duties introduces an unnecessary risk and should not be installed or used on computers connected to CERN's networks. Rather install software which is provided centrally for Windows or CERN Scientific Linux computers.
For more information about spyware and how to avoid it, see http://cern.ch/WinServices/Help/?fdid=16.
Visiting a Web site sometimes results in dialogue boxes. Those "pop-ups" may be maliciously configured so that even if you click "Cancel", "OK" or "No" or close the window with the top-right "X", a program could still be executed on your PC.
On a Windows PC close the pop-up by pressing the keys [Alt][F4], which closes the "active" window.
There are a growing number of "zero-day exploits" & security weaknesses that are discovered before patches become available. With these exploits, simply clicking a web link while you have administrator privileges could automatically install malicious software that infects your PC.
You are recommended to run without administrator privileges as this restricts the damage malicious software can do. For information on running without administrator rights see: http://cern.ch/WinServices/Help/?kbid=010121.
Lock your screen each time you leave your office. For Linux, please use [Control][Alt][L]. From a Windows PC use [Control][Alt][Delete] and select "Lock Computer" (or if you have a Windows keyboard, simply press [Windows][L]). For an Apple Mac, first enable the "Show Status in Menu Bar" flag from the preferences of the application "Keychain Access" and from that menu, the screen can be locked manually or after a defined time when unused:
You are also recommended to auto-lock your screen after e.g. 10 minutes of inactivity. On a Mac, the screen lock is activated in the "System Preferences/Security" (see picture above, right) while the time before auto-sleep is defined under "Energy Saver". For Windows PCs, right-click on the desktop, choose "Properties" and then the tab "Screen Saver". Change this to "Wait 10 minutes" and click the box "On resume, password protect":