Workstation security
Providing security for the local stations and users in the company computer network is one of the most important tasks of an computer system administrator. A well-constructed company IT security policy should take a series of aspects into account and its preparation should be based on a company IT audit taking the company work organization into account. The security policy should also take the biggest potential threat sources into account together with the risk assessment. According to the statistics the biggest threat in terms of computer network security is generated by its user. The staff can unconsciously perform tasks influencing the data stored on the company servers, i.e. by opening malicious software like crypto locker or opening a website with dangerous content. Abnormalities can also have legal dimension against the company. Through the company computer network the staff can download content whose sharing is illegal, i.e. by using the p2p transmission software to download and share videos and music. Moreover, unaware users can be the victims of criminals who use their computers to perform attacks on other users. The prosecuting authorities based on the logs will suspect the company that made the attack in the technical sense. An unaware computer network user is one of the IT security policy entities. The second one is an aware user who does illegal tasks and sabotages the company network in order to destroy or steal the data. The company IT system as a whole should be properly designed to react against threats that were listed above. The IT system administration is not only limited to the servers and computer networks. A well- designed IT security system should protect the company data and the computer network traffic on every possible company IT system level. The user workstations should be the last outpost of protection against this type of threats and the used tools should be redundant in terms of abnormality detection. Among the IT techniques increasing the workstation security level are:
- CISCO Umbrella – it is a technique using the DNS system to protect the computer terminals. CISCO Umbrella is also called OpenDNS and uses a relatively simple idea. Basically CISCO shared their DNS servers that are connected with the Talos threat database. Umbrella does not answer to the DNS enquiries that lead to the suspicious content. Additionally the DNS enquiries are used in a vast majority of crypto-locker virus types. Malicious software before beginning the file encryption sends a decrypting key to a certain domain and uses the DNS protocol to identify the host which the data will be sent to. The enquiry blockage stops the file encryption process on the disk.
- Advanced Malware Protection – it is also a CISCO solution. The software verifies if the processed files are not on the potential threat list. The advantage of the solution is the dact that the software tracks used files and in case if a file has not been marked as potentially dangerous at the time of opening and later it was classified this way the information is then automatically sent to the IT system administrator. He or she also gets the information about the propagation route of a certain threat in the company computer network and is able to react to dangers. The AMP software has the possibility of verifying unknown files in a strictly monitored environment called sendbox. These are especially prepared virtual machines that the unknown file is run on. The AMP software checks the effects of the file opening and based on them decides whether to let it into the local computer network and give the possibility of processing it by the user.
- Antivirus software – the security policy also in the context of the workstations should include the procedures connected with the BYOD devices or the user devices that process the company data. Most of the entities prohibits such practices, however, the IT system administrator should take such a possibility into account when securing the network and protect the workstations against potentially malicious software coming from the BYOD devices. The network-level authorization together with the 802.11x class protocols should be a standard.
- Antivirus/spam filters – the attack via e-mail is one of the most common forms of the attacks on the end-user. Messages with dangerous attachments or links are sent in bulk. The attack is often not targeted at a certain company but its victims are the business users who do not have adequate security measures. In practice the infected computers are used to lead attacks on the consecutive companies. The antivirus and spam filters protect our company e-mail server against threats.
- Filtry antywirusowe/antyspamowe - Atak za pośrednictwem pocztę elektronicznej jest jedna z najczęściej spotykanych form ataku na użytkownika końcowego. Maile z niebezpiecznymi załącznikami lub linkami do nich rozsyłane są masowo. Często atak ten nie jest skierowany przeciwko konkretnej organizacji, a jego celem padają użytkownicy instytucji, które nie posiadają odpowiednich zabezpieczeń. W praktyce zainfekowane komputery wykorzystuje się do przeprowadzania ataków na kolejne organizacje. Filtry antywirusowe i antyspamowe mają zabezpieczyć nasz firmowy serwer poczty elektronicznej przed zagrożeniami.
- Firewall/UTM – these are devices used for traffic filtering on the verge of company network and the Internet. The devices recognize a series of protocols used on the Internet. Based on the rules it is defined if a certain protocol/application can be used in the company computer network.
- IPS/IDS – these are devices analysis the network traffic. It is sampled and compared with the known attack signatures.
Partner24 IT company from Bydgoszcz provides services in IT security of the workstations and the computer network in a company.