Do I need to read this?
If you have your computer attached to the Cambridge University Data Network (CUDN), whether via a College or departmental connection, a wireless connection or using the VPDN from your home internet connection, then you need to read this. As well as keeping your machine physically secure, you need to make sure that you keep it secure from attacks coming over the network. Machines connected to the CUDN are probed every day and it is relatively simple to infiltrate a computer which has a security loophole. Some attacks are are malicious attacks by an individual on vulnerable machines, but automated attacks by malware, including worms and viruses, are far more common.
But I don't keep important data on my machine - it's not worth attacking me.
We use computers for a range of things including banking and investing, shopping, communicating with others using email or chat programs. Even if you do not consider your communications "top secret", you probably do not want strangers reading your email, using your computer to attack other systems, sending forged email in your name, or stealing personal information stored on your computer (e.g. financial statements, or passwords to banking or shopping sites).
What systems are attacked?
PCs running Windows are the most common targets but other systems, for example those running any sort of Unix, especially Linux, are also a target. In the past Macintoshes were less subject to but Mac OS X, with its underlying Unix framework, has become a target for various types of attack. More recently, mobile devices have also become a target for malware.
How can I keep my system secure?
First - a cautionary note. It is not possible to guarantee that any computer is 100% secure. However, if you are careful, look after physical and network security and practice "safe computing" (this includes being very cautious about opening attachments, or clicking on a website link in an email message or instant messaging "chat" client) then you will considerably reduce the risk of your computer being infiltrated. A machine that is not up to date with its security patches, hot fixes, service packs or anti-virus software is at great risk.
1 - Physical security
If you have a network connection in your College room or in your department, you are responsible for all use of that connection. If your machine is protected by a password you should logout when you leave the machine. Alternatively you should use a screen saver that requires a password to be typed to reactivate the session. Machines not protected by a password should be protected by a locked door when the owner is not present. Locking your door when you leave your room is good policy anyway, even more so if you have a laptop as these are by their nature very portable.
2 - Malware (including virus) security
PCs and Macintoshes must run the latest version of the appropriate virus protection software. This is available free from the Computing Service; see the FAQ How can I obtain anti-virus software? for details. Other anti-malware utilities, e.g. anti-spyware, are also worth having on your system.
3 - Network security
All machines should run an up-to-date version of the operating system. You cannot assume that a brand new computer will be running a completely up-to-date system, indeed you should assume that it is not. Most new systems will need to have patches installed. You should only enable network services (web servers, file sharing etc. if they are really required. Most users do not need to run any services at all, e.g. to browse the web you do not need to be running a web server. You cannot assume that no services will be running. Most Unix (including Linux and Mac OS X) installations will enable some network services by default, and some versions of Microsoft Windows will install a web server or enable file and print sharing unless specifically told not to.
As well as making sure you keep your operating system up to date you will also need to make sure that any applications (e.g. word processors, web browsers, email programs) have patches installed.
We strongly recommend that you only run software with a good security track record. Vulnerabilities in, and exploits for, Windows web servers, e.g. IIS are frequent. If you need to run a Windows web server, see the page on alternatives to IIS. If your machine is running an IIS web server and you don't need it, we recommend that you remove it.
With modern versions of Windows (XP and above) the most straightforward way is via the automatic update facility (Microsoft Update, formerly Windows Update). Some Colleges and Departments run a local Windows Software Update Server (WSUS) which you may be able to use when you are on the local network. You should ask your local IT support staff whether they run a server that you can use and, if so, how you should set up your system to use it. The updates available via Microsoft Update or WSUS cover other software, e.g. Microsoft Office and SQL, as well as the operating system itself (so you no longer have to check for Office updates separately) Microsoft Update requires the use of Internet Explorer. Please remember that, in general, for patches to take effect you will need to reboot the computer.
Macs running MacOS X can also be set to auto-update. For further advice on keeping different Mac OS versions up to date see the Macintosh security page.
Many current Unix distributions allow you to update your system automatically. You will need to see your distribution's documentation for how to configure these. Locally, Unix Support's server provides updates and patches for several versions of Unix including the SuSE, Debian, Fedora and Ubuntu Linux distributions. Contact firstname.lastname@example.org for more information.
What do I do if my system is insecure?
The Computing Service regularly examines the CUDN looking for insecure machines; this is known as `friendly probing'. If your system is found to be insecure, you will be notified by your Institutional Computer Officer or by the Computing Service. If you are told that your computer has been found to be insecure by a friendly probe, you need to upgrade as soon as possible to a secure version of the system or disable the service(s) leading to the insecurity. If you do not know how to upgrade your system you should seek help from your local Computer Support staff. If you cannot upgrade your system immediately you should disconnect it from the network until you do have time to do the upgrade.
How do I find out whether my system has been infiltrated?
There is no easy way to check if an intruder has used your system, but here are some things to look for:
- any files that you don't recognise
- any strange or unusual activity
- any processes running that you don't recognise
The web page on recovering from security incidents has links to useful resources.
What do I do if my system has been infiltrated?
If you find that your system has been infiltrated, you should remove it from the network immediately, contact your Institutional Computer Officer and send a message to the Cambridge Computer Emergency Response Team, email@example.com. Please include contact details; either a phone number or an email address remembering that you will not be able to use your compromised machine. A compromised machine may contain valuable information; do not delete any files or reinstall the system until the computer has been examined by an expert. If possible don't even switch it off or halt the operating system, since valuable clues are often volatile. Just remove the physical connection to the network, immediately, and then seek expert advice.
Last updated: October 2011