Chapter 10. Workstation Security

IN THIS CHAPTER

• Windows XP Service Pack 2

• Local Administrator Access for Users

• Antivirus Tools

• Antispyware Tools

• The Managed Network

• Let's Not Forget About Office

• The Educated End User and Security Review Process

• Protecting Data from the Inside

• Troubleshooting Workstation Security

Once upon a time, the network consultant worried most about the threat from the floppy drive. At one time all viruses and all attacks on the network barring physical attacks came from a worker at the office placing a disk in a drive and launching a file. At that time most viruses attached themselves to a Word file or perhaps even a boot sector. As long as the antivirus software was kept up-to-date on the workstation, you were relatively assured that you could stay one step ahead of the virus. Viruses spread through sneakernets, the slang description for a bunch of computers whose means of transporting files was having a floppy disk moved from one computer to another. Thus, like in a virus infection in humans, physical contact was key to transmitting the computer virus in most small networks.

But as technology connects us every moment of our lives, so too has the capability for viruses to be transmitted increased. When the networks that most of us rely on were first designed, there was no need to put protections for workstations inside the office. All we needed to protect networks was a well-designed, well-defended perimeter. But then two inventions changed the way we do computing foreverand changed the boundaries of our network.

The laptop and the Internet moved the boundaries of computer networks away from the ISA Server and Cisco Pix and into the homes of small businesses. It moved the threat window from the time it took to move infected files around via floppy disks to now where within 24 hours, proof of concept of exploit code is posted on the Web. You must think of workstation security as protecting someone from an epidemic. What is the best protection for an infectious disease? Ensuring that you are not exposed in the first place and obtaining inoculations when you realize you cannot remove all the risk of exposure. The computer world is no different. There are three tenets to risk management in a network:

• Accept the risk.

• Mitigate the risk.

• Transfer the risk.

This chapter assumes that you have completed the process of identifying those assets in the firm you need to protect. You have identified those databases and devices that contain the data you need to most protect due to regulation or other requirements. Typically, for most firms, this is a category of data called personal identity information (PII). In the healthcare industry, this data is electronic patient healthcare information (ePHI). Both PII and ePHI have as their risk factors, a risk of business impact due to the required disclosure laws now on the books in many locations. Furthermore one could argue that sitting down and making a reasonable determination of the risk factors in your network is both a good business practice to ensure that your security dollars are well spent and just good business period. If your firm and your clientele depend on a source of data for your revenue above all other pieces of data on your network, this process will help you and your clients streamline that data and assign the proper protection.

Traditionally in risk management there is an equation that allows you to put a dollar value, a budget in place:

AROxSLE = ALE

You first look at the annualized rate of occurrence (ARO) for these events. What historically has been the impact of viruses? Then you determine the single loss expectancy (SLE) for the risk, which is based on the costs to clean up from the risk. Multiply the two to determine the annual loss expectancy (ALE) to determine whether it's less expensive to "clean up from the mess" or to "prevent the mess" in the first place. That amount you calculatethe dollar amount to clean up the machinesshould be less than the cost of the item needed to prevent the event from occurring in the first place. If it is not, there is no question that prevention is cheaper than cleaning up.

Although this chapter focuses on some key processes to ensure more protection of the workstations, should always keep in mind this equation and the overall part that workstations play in the security of your network. Your best protective device may not be technology at all; it may in fact be an educated end user. Make sure that in your budget of security actions you also remember that education will go a long way to the overall security of your network.

Network threat modeling is a relatively new concept but is key for any size firm. Understanding where your data if stored and flowing and the appropriate amount of resources to apply to protecting that key data is more an art than a science.