Best Practices

Public Computer Security Tips

By Userful

About this Guide

These security tips will help with the most common threats to your public computer security. However, maintaining your public computer security can add up to a significant amount of your valuable time. Even after hundreds of hours of work, few "do it yourself" security systems are perfect. If you're interested in an alternative to managing, maintaining and supporting your own public computer network, visit http://library.userful.com

This article was originally distributed as part of a series on public computer tech tools in Userful's Newsletter. If you'd like to access past tech tools, sign up at http://library.userful.com/library-technology-planning-resources.php

If you would like to learn more about a public computer system that doesn't require your staff to lock down, secure and manage your public computers by hand, e-mail info@userful.com, or phone 1-800-301-9018.

Virus, Malware, Spyware

What is it, what's the worry, what can you do to stop it? Viruses are the most widely known security threats because they often garner extensive press coverage. Viruses are computer programs that are written by devious programmers and are designed to replicate themselves and infect computers when triggered by a specific event. A Windows network can be infected by a virus only if the virus enters the network through an outside source — most often through an infected floppy or USB disk or a file downloaded from the Internet. When one of the computers on your network becomes infected, the other computers on the network are highly susceptible to contracting the virus.

Another common malicious threat, trojan horse programs, or trojans, are delivery vehicles for destructive code. Trojans appear to be harmless or useful software programs, such as a computer game, but they are actually enemies in disguise.

Spyware is a type of malware that is installed on computers and that collects information about users (such as passwords and web surfing activity) without their knowledge. The presence of spyware is usually hidden from the user. Typically, spyware is installed on your public computers without the user's knowledge.

With a Microsoft Windows-based system, viruses, trojans and spyware (collectively known as "malware") will always be a concern. The best you can do is work to guard against it. Opting for a drive shield type approach such as "Cleanslate" does not solve the malware threat because as soon as one of your computers gets infected, it puts the other computers on your network at risk. Using anti virus software with a lock down and drive shield program is definitely the way to go. Almost all anti-virus software have an upfront dollar cost, and they all have an ongoing work burden associated with them. But if you're running Windows, this is an absolutely essential part of your security.

It's also worth noting that most malware is aimed at Microsoft and uses Windows code to propagate. Turning to another desktop operating system such as Linux will sidestep almost all malware concerns.

Keep in mind that even if you've never been hit by malware, the cost of protecting against it has a cost to you both in the software costs and even more in the time energy and headaches of integrating and maintaining it. Anti-virus software that is outdated will not protect you. So a lot of your time will be spent rebuilding, testing and deploying the image every time you update your anti-virus definition.

Security of Your Web Browser

Everyone connects to the world wide web through a web browser and unfortunately, whether you use Firefox, Internet Explorer, Opera, Chrome or anything else, this is a point of weakness in any computer's defenses. Hackers often target your computer by focusing on flaws in browsers or their plug-ins and using drive-by-downloads which cause your computer download malware through the browser without your knowledge. Because of this threat, web browser security upgrades are an important early step in your PC security.

The easiest browser security upgrade is simply to switch internet browsers. Microsoft's Internet Explorer is subjected to the largest number of security threats, so switching to a popular, safer alternative such as Mozilla's Firefox or Opera will dramatically improve your PC security right away. In the case of Firefox, it has a very handy plugin called “NoScript” which blocks the execution of Java/Flash/PHP or other server-side scripts from executing until you allow it. This combination is by far the safest way to surf the web.

For those dead set on using Internet Explorer, you should raise the security level from the default to high setting and specify which websites are trusted enough to bypass the browser's security filter. You can do this by opening up a new browser window, selecting the "Tools" menu, followed by "Internet Options." From there choose the "Security" tab and finally drag the bar to the "High" level.
You can use Internet Explorer, but like a lot of things in a "Do it Yourself" public computer set up, it requires extra work and extra vigilance. If you consider your time valuable, you'll find Internet Explorer isn't free, it actually costs you quite a bit.

Operating System and Updates

Security of your operating system is vital. Microsoft regularly sends out patches and upgrades. Be sure you always have the latest. Many of these updates are to close security loopholes. You will need to temporarily deactivate your drive shield to ensure updates. Doing this regularly will ensure that crucial “holes” in your security are patched.

In the case of a Windows installation, download patches only directly from Microsoft's official windows update site and never from anywhere else, no matter how legitimate the site looks. Spammers sometimes cleverly create fake infected patches and post them on their own or other people's websites in order to trick people into infecting their own computers by downloading them.

Network Security

It's vital you keep your network secure. Nowadays there are innumerable types of network attacks and the availability of "network-hacking tools" has been growing exponentially over the last 5 years. The most common kind of network attack is called a "Reconnaissance" attack. It is essentially a series of information gathering activities by which hackers collect data that is used to later compromise networks.

A dedicated and well-configured Firewall is the best way to protect your public computers against these attacks. In the case of a wireless or “WiFi” router, password protected security measures such as WPA or WEP encryption is essential to a secure network. The most secure way to protect a wireless network is through a process known as “MAC address filtering” which has nothing to do with Apple machines :) but this requires quite a bit more work.

Ensuring virus scanning software is on every computer and up to date is another important tool to a secure network.

Desktop Lockdown

Many organizations struggle when it comes to offering both a secure and enjoyable public computing experience. Public computers are sometimes locked-down to the point where functionality or the "user experience" suffers. This is also the source of the highest work-burden when it comes to offering computer services to the public.

There are many Microsoft Windows options for locking down a desktop. Many organizations opt for Microsoft's "Windows Group Policy" feature but this requires both technical knowledge and work on the part of your IT staff. It also can easily lead to the "locked-down, locked-out" user experience--in some cases the user is limited to just a web browser and a word processor, not even being allowed to use media player, instant messaging or PDF reader applications.

Another option is a drive shield program such as “Clean Slate”. These programs return the desktop to the same image every time the computer is rebooted. Anything changed on the desktop is wiped clean. If you choose this option, be sure to regularly build and re-build your hard drive images allowing for updates to Windows, Java, Office, PDF reader etc. This ensures desktop and network security is maintained (as those vital updates are often closing security loopholes) while also ensuring your end users have access to up-to-date software.

Some organizations see removable media such as DVDs or USB flash drives as a security concern. Your months of hard work to secure a Windows computer could be circumvented in 20 seconds with a patron's malicious USB drive. If you've locked down your desktops well you should feel comfortable allowing removable media, but be warned that USB keys can not only completely circumvent your lock-down software.

At the end of the day, some patrons will find work-arounds to the most commonly used desktop-lockdown software. Security holes are often published on the net to allow patrons to bypass your time management software or desktop lock down. No matter how much work you put into desktop security, someone out there can hack into it. It's a matter of finding the right balance between security and workload. If you're not careful, desktop security can become a never ending, full time task.

Physical Security

Sometimes the real work of securing your public computers is not all about software security but about physically securing your hardware and peripherals from tampering or theft. While software keystroke loggers can be a real concern you are actually far more likely to come across a USB based hardware keylogger which could be nearly undetectable if the patron is discrete enough. Hardware key loggers account for the majority of cases of "identity theft" related to public computers. Once a hardware keystroke logger is plugged into a rear USB port it will store and download any and all keystrokes made by your PAC patrons ready for the offending "data thief" to come and pick up at a later time.

Of course theft can also be a serious issue; there are many ways you can help to ensure that it never becomes a real issue but one of the simplest ways is to enable your computer's built-in "case intrusion" option which will sound an alarm if a computer's chassis is tampered with. Safely tucking computer towers away in locked cabinets or cupboards can help immensely and in the case of securing devices such as USB hubs, mice and keyboards a computer security "cable lock system", which is similar to a bicycle lock, can ensure that no one walks away with an important component of your PAC.

Alternatives to Managing Your Own Public Computer Security

Many libraries either lack the IT staff or the time (or both) to set up and maintain a time consuming public computer security program. While this work is vital, the expense is high both in terms of software and in terms of staff time and headaches. If your library is looking for a new approaches with tight security, excellent patron usability but that does not require that staff manage and maintain your desktops, that is Userful's area of expertise. You can learn more by contacting info@userful.com calling 1-800-301-9018 or visiting http://library.userful.com

Userful is an Alberta-based company founded in 1999. In 2002, Userful launched Userful Desktop™ (formerly DiscoverStation), a public computing solution designed from the ground up for libraries. While the system has since been adopted by many other industries, libraries remain at the heart of the product with an average of 17,000 patrons logging into Userful Desktops every day. http://library.userful.com

THE LIBRARY RESOURCES GROUP, INC. | 7823 STRATFORD RD. BETHESDA. MD 20814 | 240.354.1281

TECHNICAL CONSTRUCTION: FIDLER CONSULTING