A secure cloud deployment isn’t limited to ensuring that your servers are following best practices, for your desktop computer can be the weakest link in your security chain.

All too often, companies will put all of their effort into ensuring their servers have the latest patches, but give little thought to ensuring their employee desktops are also secure. When a desktop is compromised, the sensitive data on that machine (such as usernames, passwords and keys) can be used to break into your cloud web console or servers.

As such, Casey Labs provides a basic set of recommendations that will help ensure the security of your desktop:

 

Automate Operating System Patches

Operating system patches need to be automated for regular installation, in order to prevent vulnerabilities within your OS from being exploited.

Windows

By default, Windows 10 will automatically install security updates. Verify that this is enabled by:

  • Click on the Start button, followed by Settings
  • From Settings, click on Update & security
  • Choose Windows Update from the menu on the left
  • Click on the Advanced options link on the right
  • Select Automatic (recommended) from the drop-down, check Give me updates for other Microsoft products when I update Windows

 

Mac OS

  • On the menu bar, click on the Apple menu and select System Preferences.
  • Click on the “App Store” tab.
  • Enable the following settings:
    • Automatically check for updates
    • Download newly available updates in the background
    • Install system data files and security updates

 

Ubuntu

Open a terminal window, and run the following commands:

# Install unattended-upgrades
sudo apt-get install unattended-upgrades -y
# Install any security updates
sudo apt-get update
sudo unattended-upgrade
# Test if a reboot is required
[ -d /var/run/reboot-required ] && echo 'REBOOT REQUIRED'

Then add it as a monthly automatic task:

echo "0 0 1 * * root apt-get update && unattended-upgrade" | sudo tee -a /etc/crontab

 

Protect your SSH Keys

Your SSH keys should be kept in a secure location locally on your computer. Private SSH keys should never be placed on a server, as they could easily be copied by another user.

Your private SSH key should also be protected by a passphrase. To add a passphrase to an existing private key:

Linux/Mac
Open terminal and run:

ssh-keygen -p -f yourPrivateKeyFile

Windows:
Key files can be updated using PuttyGen

 

Setup Antivirus Protection

An antivirus program is mandatory for Windows desktops, and is also recommended for Mac OS X and Linux desktops.

Windows

Mac OS

Ubuntu

 

Secure your Web Browser with an Adblocker

Rogue ad servers are one of the largest sources of malware installs. Protect your web browser with the uBlock Origin adblocker extension:

 

Enable Two-Factor Authentication (2FA)

Two-factor authentication (2FA) adds an extra step to your basic log-in procedure. Without 2FA, you enter in your username and password, and then you’re done. 2FA adds an additional layer of authentication, making it difficult for an attacker to brute force your password, or for malware to steal your login credentials through a keyboard logger.

We suggest that 2FA be enabled on your work email and AWS Management Console accounts. To set up 2FA:

 

Securely Manage your Passwords

Usernames and passwords should not to be kept in plain text on your desktop. Instead, an offline encrypted password management database should be used.

We recommend Enpass as a cross-platform personal password vault.

 

Encrypt your hard drive

Encrypting your hard drive ensures that your personal information cannot be stolen in the event that your desktop or laptop is stolen.

Windows

Mac OS

Ubuntu

 

Backup your hard drive

We recommend that you do a full disk backup of your local disk to an external hard drive, using the built-in operating backup software, scheduled for once a week.

In addition, we recommend that you backup your local disk to an encrypted online backup provider. We recommend using Backblaze as your online/off-site backup provider (note: BackBlaze is a paid, unaffiliated service).