Linux Foundation publishes best practices for secure workstations
The Linux Foundation (LF) gave internet users a peek into its employees’ security practices in a Github post this past week that details their various techniques for maintaining secure workstations.
“You may read this document and think it is way too paranoid,” the non-profit wrote, “while someone else may think this barely scratches the surface. Security is just like driving on the highway – anyone going slower than you is an idiot, while anyone driving fast than you is a crazy person.”
In either case, the group wrote, its guidelines are meant to be a “basic set of core safety rules” that don't replace “experience, vigilance, and common sense.”
LF rated its recommendations on a four-level scale, ranging from “Critical,” or items that “should definitely be high on the consideration list,” to “Paranoid,” or items that will “drastically improve your workstation security, but will probably require a lot of adjustment to the way you interact with your operating system.”
Among its suggestions are installing browser privacy add-ons, such as the Electronic Frontier Foundation's Privacy Badger and its HTTPS Everywhere, and using a password manager. Strong passphrases should also be used, especially when it comes to keeping private SSH and PGP keys safe.
Beyond these more personal computing choices, LF wrote that systems that support SecureBoot should always be used because they protect against “many attacks targeting workstations.” The group admitted this could be seen as controversial, but it was “better than having nothing at all.”
The group also rated using full disk encryption with a “robust” passphrase as critically important, noting they should be two or three words long, easy to type and of “rich/mixed” vocabularies. LF added that keeping passphrases written down and away from a work desk functions was a fine security measure.
Encryption should also be set up on workstation backups to external storage, and when browsing online, two browsers should be used; one for “work/high security sites” and the other for “everything else.”