Endpoint Protection and System Compliance

With a focus on operating the PIK computer network in a secure manner, and for protecting the user's valuable data, the IT-Services Team provides in-depth security and expert knowledge across all system platforms at PIK.

In-Depth Security and Endpoint Protection

Security is an important aspect of a reliable computer configuration, and is also an integral part of systems management throughout the life cycle of the machines at PIK. The Client Computers and Helpdesk Team provides standard computers that are configured for a reliable and secure usage, withing the boundary conditions that exist in a research Institute such as PIK.

Unsolicited code and in particular malware programs - such as viruses, worms and backdoors - are a major threat to the reliability of computers. Thus, standard workplace computers at PIK are protected by multiple security layers, part of which operate on the level of the individual system, on the Institute's networks and services, and even virtually in front of the Institute's IT Infrastructure, like the protection against unsolicited email (spam protection) provided by DFN.

PIK Windows systems (which are in particular threatened by malware) are protected by a managed antivirus solution and desktop firewalls. The IT experts of the Client Computers and Helpdesk Team are responsible for managing the endpoint protection, and maintaining the compliance of these computers.evards-life-cycle.PNG

Initial state (blue): machines are deployed with a standard hard- and software configuration, and a customized user environment
Reliable state (green): this is the state that has to be maintained, using routines such as access control, update deployment and malware protection
Trustless state (red): when an operating system is not properly protected against attacks and exploits, it might get infected with stealth malware (such as root kits), and cannot be used any longer. It rather has to be rebuilt. This scenario is a threat to the coherence of the user’s data, and thus has to be avoided.

Pro-active Measures and Mitigation

The Client Computers and Helpdesk Team is monitoring the security alerts related to workplace computers and adjusts the parameters of the protection systems if required. Team members are applying the required measures for intercepting possible threats and minimizing the impact in case of an incident. They are communicating with the computer users about these measures and the implications, in addition to providing general advisory and knowledge for operating a computer in a secure manner.

Support and Advisory

The Client Computers and Helpdesk team supports using secure communications by services such as SSH and VPN. We provide guidance to using mobile computers which are connected to public networks (WLANs, external ISPs) in a secure manner. We also provide support for solving a broad range of issues related to secure Internet communication..

REFERENCES

• An Analysis of UNIX System Configuration, by Rémy Evard (Argonne National Laboratory), http://www.usenix.org/publications/library/proceedings/lisa97/full_papers/20.evard/20_html/main.html

Malware Protection of Windows Computers at PIK, by Dietmar Gibietz-Rheinbay (PIK),