One of the risks to small and medium businesses is losing your bank credentials to bad guys by use of a key logger or other malware as Bruce Schneier blogs about. A particular threat is real-time key loggers as described in the NY Times. The bottom line is that with commercial bank login information, bad guys can wire money out of your accounts and there may be no recourse. Commercial bank account logins are truly the keys to the kingdom.
I’ve decided to substantially increase the security on the machines where these bank credentials are used. My standard security recommendations are Windows XP SP3 with patches being applied automatically nightly. Virus protection is on (We generally use ESET). Users are Limited users; they can’t add software. Software restrictions prevent the user from accidently or deliberately downloading software and running it out of their user directory. We use IE8 because of the ease of managing it in a Active Directory environment, but I recognize this as a potential weakness. Unfortunately, the most likely vector of a zero day exploit is flash or acrobat, both of which we use.
Security is always a tradeoff of convenience versus safety, so answers and suggestions should give pros and cons. I’m going to answer with a few suggestions, so you can see where my thoughts are going.
Answer
You could setup another PC with Linux/BSD on it that is only used for accessing the bank web site. If you really wanted to get paranoid you could put it on its own dedicated Internet connection and not have anything else connected to it on the regular network. Gives you the benefits similar to dual boot while still keeping the Windows PC available for other tasks. Downside is additional hardware/software to maintain. There's always the possibility that some nefarious employee could put an inline hardware USB keylogger between the keyboard and the computer regardless of what/how you secure the operating system and software.
No comments:
Post a Comment