System Evaluation
System Description
Being relatively unexperienced with computers, I stuck to a cursory evaluation of my own computer's security. The computer in question is a Dell Dimension 8250. It runs off of a 2.4 GHz Pentium 4 processor with 256 Mb of RAM. The operating system in use is Windows XP home version. Also of note, the file sharing service Kazaa is installed an intermittently used. This might somehow be a security risk to the system, but whether or not this is true might not be covered in the scope of this analysis. The computer connects to the Internet via Roadrunner cable modem. A Belkin router connects to a linksys wire/wireless router , which in turn connects to the cable modem.
Testing Criteria
The criteria for the security test are relatively straightforward and generic. The first area of testing would have to concern the account password on the computer. As mentioned in serveral security books and guides, weak passwords make up possibly the biggest and most obvious threat to information security. The second area of testing whill be for accessibility and leaks. With technology stepping up on all fronts, a rising area of concern is the accessibility of your computers by remote third parties. The third criterion for testing will deal with the software, including the antivirus and the updates for windows. Finally, the physical security of the station will be taken into account.
Test Results
Password Security
For checking my passwords, I used the trial version of LC4, formerly known as lophtcrack. Although the program failed to crack my password, it did point out a few accounts like "Guest", "Administrator", and "Support", that had empty passwords. This could have been a serious liability, since anyone could pretty much log in without any need for passwords. Also, since the trial version didn't have brute force cracking enabled, it wasn't much use in determining the true strengh of my system password. Moreover, for reasons of convenience, no password was even needed to log on to the computer or get it out of the screensaver. This made the password strength pretty much a moot point.
Remote Accessibility
I used two different programs to test this. First I used Spybot, the software piece I evaluated earlier. Testing for 6333 different types of spyware, my system came up with 27 instances, all of which were fixable. Most of these were tracking cookies, meaning that they leaked back information to websites about site usage or so. This didn't seem too dangerous. The port scan I did at http://www.cablemodemhelp.com/portscan.htm (Noticed it on Anne Bauers' Site) didn't reveal any potentially dangerous open ports. Still, with 60,000 ports, and many of them unassigned, there could easily be a weakness here to be exploited. Overall, in this criterion, security seemed acceptable. In the balance betwen convenience and security, some spyware and open ports are needed to get a fuller functionality out of the Internet.
Software/ Antivirus Strength
The antivirus software for this system is Norton Antivirus 2002. The program checks sent files from AIM, and keeps a constant watch with the auto-protect function enabled. Every Friday, a full diagnostic virus check is run automatically. However, this program does have limitations. First of all, with my subscription having been expired, the program has not been updated since late March. This means that none of the newest viruses have been added to the virus library, rendering this program somewhat obsolete. This may be the reason why the program still his three quarrantined programs that cannot be fixed yet.
The Home Version of Windows XP comes with a side program to automatically search for updates and prompt the user to download them. This is useful in keeping the computer continually safer, fixing and exploitable bugs as they are discovered. However, the new updates sign is somewhat annoying and easy to ignore, thus leaving security up to the person at the computer. Otherwise, with the latest update, this computer should be just about as safe as any other Windows XP computer used for home.
Physical Security
As this system is a desktop computer, there is less of a risk of it being lost or stolen in public places. Still, access to the computer and its information is available to anyone who enters the apartment. As stated before, no passwords are needed to get into the system's administrator access and access any files. While a few documents are password protected, I have serious doubts about the strength of the Microsoft Word password encryption function. That being said, there have been occasions where outsiders have gained access to files on the system and managed to steal or alter information.
Recommendations
There are many things I could do to make this system more secure. First off, I could change the account confiurations to tighten up access. I should look into setting passwords for the administator and guest accounts, and make sure there are no wide open doors into the system. Also, I could set the security higher so that a password would be needed to break the screensaver once the account is logged in. A good password is not worth much if it's not used.
In addition to this, I could probably make my system more secure by keeping out programs like Kazaa, which add spyware and open up computer files to others. A higher security setting on IE could help, but may hinder surfring and online transactions. Constantly checking for Spybot updates could help more too at minimal cost in time or energy. As for software, I could pay better attention to updates and download them as they are updated. If Microsoft knows about a possible hole, then so must hackers. Responsiveness is important. For Norton Antivirus, I should probably just register it and pay the money. A system without a good antivirus program is highly vulnerable.
The physical aspect of security seems unavoidable. Aside from implementing a screensaver password, there's not much to do. Maybe put a lock on the door to the computer, but that might be overboard. Computers are meant to be used, and information to be shared. While there are many things I could do to secure this system, not all of them are worth the sacrifices that would keep my computer from doing what I bought it to do.