Most conversations regarding security inevitably focus on server or application security: How do I harden my server? How do I secure my database? What is the most secure web cluster configuration? However, one area that if often overlooked is security on our personal workstations. Although it may seem that as long as you have an antivirus application installed, you are doing everything you can, there are other steps you should be taking, not only to protect yourself but the environments from which you work. In this article, we will take a look at some things that you can do on your local workstation to harden your security profile.
User Account and Keys
By far, the most common method of interaction from your workstation to any server in your environment will come via the accounts and keys you use to access those systems. As a result, they are often some of the most insecure links in the security chain. Most people use only passwords to secure their access to a server environment over SSH, and even those tend not to be the most complex passwords unless the systems administrator is enforcing password rules. Some things you should be doing to protect the integrity of your accounts and prevent their abuse if compromised:
- Password complexity — At a minimum, your password should contain at least 12 characters with letters, numbers, and symbols, including upper- and lowercase. The password should NOT be any word or phrase, even if letters are substituted with their numeric equivalent (ex. 4ever instead of forever). This needs to be balanced against your ability to remember the password; what you can do is to come up with a phrase you can remember, and then use it within your password. For example, the phrase “now is the time for all good men to come to the aid of their country” can be turned into something like “_$NiTtFaGmTcTtAoTc$_”. This password is hard for even brute force attacks, but is not terribly difficult to remember (special characters at beginning and end, the first letter of each word in the sentence, alternate capitalization).
- Account keys — If you use SSH, you should be using SSH keys. In fact, you should be using keys AND a password for a poor man’s two-factor authentication. (In other words, don’t skip the “passphrase” portion of creating your key.) The more obstacles you put in front of anyone looking for a way in, the more difficult it will be for them to find one.
- Different keys for different workstations — Don’t use the same SSH keys for every workstation you use. By using different keys on each workstation, the compromise of a single key is not catastrophic for your user account. You can then simply use another of your workstations and then revoke the compromised key.
- Password manager — Everyone should use a password manager, and that password manager should not be storing the password database in the cloud. It is okay to store it locally or even on a local network share accessible only by your or your workstation(s), but never public cloud. Additionally, use the single most complex password you can to access the database for use. It will not do you any good to have different passwords for all the sites and servers if a single weak password secures it.
Full Disk Encryption
This used to be a much less common or usable option given the performance hit it often came with. However, modern processors and storage performance increases in the last few years have made this a completely viable security solution for your workstation. The easiest method for using full disk encryption is to do so during the installation process where everything will be handled as part of the partitioning and formatting process before setup. However, even after the fact, you can apply Cryptsetup to your partitions. Cryptsetup will use:
- Default LUKS for AES in XTS_plain64 mode
- A SHA1 256bit key run through a PBKDF2 hashing algorithm
- Standard encryption protocols that pass American HIPAA and ADSGA (American Data Secrets Guard Act) requirements, including workstations used in government positions
One of the items that is often forgotten is the swap file. Given that your Linux swap file is often used for file caching when memory begins to be fully engaged, if you do not have your swap file/partition encrypted as well, anyone with physical access to your system and it’s USB or firewire ports can compromise your system. It is easy to forget or be unaware of how some of your system hardware behaves in the kernel, so when in doubt, encrypt it.
Summary and Next Steps
We have covered some “big rocks” in the security of your workstation. Now that we have added some security to the workstation itself and looked how we interact with the servers we manage, in our next article, we will take a look at PGP. This will enable us to enhance our security profile further in accessing other systems or communicating with external entities over email.