A secure cloud deployment isn’t limited to ensuring that your servers are following best practices, for your desktop computer can be the weakest link in your security chain.
All too often, companies will put all of their effort into ensuring their servers have the latest patches, but give little thought to ensuring their employee desktops are also secure. When a desktop is compromised, the sensitive data on that machine (such as usernames, passwords and keys) can be used to break into your cloud web console or servers.
As such, Casey Labs provides a basic set of recommendations that will help ensure the security of your desktop:
Automate Operating System Patches
Operating system patches need to be automated for regular installation, in order to prevent vulnerabilities within your OS from being exploited.
By default, Windows 10 will automatically install security updates. Verify that this is enabled by:
- Click on the Start button, followed by Settings
- From Settings, click on Update & security
- Choose Windows Update from the menu on the left
- Click on the Advanced options link on the right
- Select Automatic (recommended) from the drop-down, check Give me updates for other Microsoft products when I update Windows
- On the menu bar, click on the Apple menu and select System Preferences.
- Click on the “App Store” tab.
- Enable the following settings:
- Automatically check for updates
- Download newly available updates in the background
- Install system data files and security updates
Open a terminal window, and run the following commands:
sudo apt-get install unattended-upgrades -y
# Install any security updates
sudo apt-get update
# Test if a reboot is required
[ -d /var/run/reboot-required ] && echo 'REBOOT REQUIRED'
Then add it as a monthly automatic task:
Protect your SSH Keys
Your SSH keys should be kept in a secure location locally on your computer. Private SSH keys should never be placed on a server, as they could easily be copied by another user.
Your private SSH key should also be protected by a passphrase. To add a passphrase to an existing private key:
Open terminal and run:
ssh-keygen -p -f yourPrivateKeyFile
Key files can be updated using PuttyGen
Setup Antivirus Protection
An antivirus program is mandatory for Windows desktops, and is also recommended for Mac OS X and Linux desktops.
- Microsoft Security Essentials for Windows 7 and Windows Vista
- The built-in Windows Defender for Windows 10
- Suggested: Sophos Antivirus for Mac
- Suggested: Sophos Antivirus for Linux
Secure your Web Browser with an Adblocker
Rogue ad servers are one of the largest sources of malware installs. Protect your web browser with the uBlock Origin adblocker extension:
- uBlock Origin adblocker for Chrome
- uBlock Origin adblocker for Firefox
- uBlock Origin adblocker for Safari
- uBlock Origin adblocker for Microsoft Edge
Enable Two-Factor Authentication (2FA)
Two-factor authentication (2FA) adds an extra step to your basic log-in procedure. Without 2FA, you enter in your username and password, and then you’re done. 2FA adds an additional layer of authentication, making it difficult for an attacker to brute force your password, or for malware to steal your login credentials through a keyboard logger.
We suggest that 2FA be enabled on your work email and AWS Management Console accounts. To set up 2FA:
- Install the Google Authenticator app on your phone
- Enable 2FA on your work Gmail email account
- Enable 2FA on your AWS Management Console account
Securely Manage your Passwords
Usernames and passwords should not to be kept in plain text on your desktop. Instead, an offline encrypted password management database should be used.
We recommend Enpass as a cross-platform personal password vault.
Encrypt your hard drive
Encrypting your hard drive ensures that your personal information cannot be stolen in the event that your desktop or laptop is stolen.
- Encrypt your computer with Bitlocker (built into Windows).
- Encrypt your Mac with FileVault 2 (built into OS X).
Backup your hard drive
We recommend that you do a full disk backup of your local disk to an external hard drive, using the built-in operating backup software, scheduled for once a week.
In addition, we recommend that you backup your local disk to an encrypted online backup provider. We recommend using Backblaze as your online/off-site backup provider (note: BackBlaze is a paid, unaffiliated service).