Whether you are building a workstation or a server, you really need to choose an appropriate operating system. This may seem obvious: "I will use MS Windows!" However, Microsoft software is notoriously buggy; usually those bugs are security holes. Also, Microsoft is not always the correct answer. For example, often Apple Macintosh is a better choice for video and print production.

The things one must consider before building a server or workstation are:

• Tasks to be done on the system
• Monetary concerns (Total Cost of Ownership, available funds, etc.)
• Skills sets available (no matter how stable or secure software or an operating system is, you have to maintain it
• Hardware (CPU, memory, disk space, etc.)
• Types of software needed (based on task list)

You may be asking "What about security?" Well, security isn't just something you consider as an after thought or in one step. Every step, every decision must be made with security in mind. It might be said, "If you succeed in making a wonderful system or site, but the security is bad... you have succeeded in failing."

Some of the things that affect security are:

• Hardware choices (rare, but occasionally does affect security)
• Software
• Operating System
• Software Configuration
• Physical Security of System
• Security of Social and Psychological Factors

As an end to the First Things First, You need to make sure to choose an Operating System that is secure and does well for the desired tasks. You then need to choose software that is up to the task and is secure. As stated, hardware can, but rarely does play a major roll in security. So, make sure to choose hardware that is in budget, performs well, and runs the Operating System and Software selected.

For most servers and many workstations a good free Unix-like OS would be the recommendation that I make. Unix is stable and fast. The free Unix-like OSes (as listed above in recommended platforms) tend to fix security holes quickly, and are less likely to have security holes in the core utilities and kernel to begin with.

For more mainstream desktops or workstations, you are left with Macintosh OS X (which, whenever possible I would recommend over Windows) and Microsoft Windows. While Microsoft has made a more secure and stable version of Windows in XP, it still suffers from too many security holes and more of a lack of stability.

No matter which Operating System you choose, make sure you always, and I mean, always keep your Operating System up to date. This is especially true whenever the distributor or manufacturer posts notices about security holes.

One final note on Operating Systems, checking a systems track record for security is one way of gaging if it is secure. The better the track record, the more secure it is likely to be. However, this is only one indicator. Many times this can become a false indicator, so do not rely too heavily upon it.

Unfortunately, software selection often is hard. Not all task oriented software has choices that are secure. Try to ensure that it is, before your choose.

The biggest factor in securing software is the configuration, it even applies to the Operating System. You can take software, such as Apache (which tends to be very secure and stable), and turn it into an open invitation to pillage your system. To avoid such mistakes, make sure you understand the configuration options for your software. Create a policy (the configuration is the embodiment of the policy) that allows activities you would like to be done, but makes it difficult or impossible to do any undesired activities.

The balance between allowing all good and/or wanted activities and denying the others is hard to achieve. Security is a balancing act after all. The more secure the system, the less that can be done with it. Also, you may not be able to do all that you want and still deny everything else. Carefully balance your choices and carefully watch your systems. Vigilance is the key to all security.

There are hundreds of physical security experts and consulting firms. Therefore, I will only briefly touch on this.

Software/System security means very little if someone can gain physical access to a system/machine. You need to control physical access by the use of locks, keys or key cards, and preferably, human security. Human security amounts to posting a guard or other employee that watches the controlled environment and knows who and who shouldn't be allowed. Preferably, this individual should have a list of names, job descriptions, and either know the people by face, or have images of everyone. This allows for tight physical security of the systems.

One of the favorite tricks of many hackers (incorrect use of the term, the correct term is cracker) is what is called social engineering. It takes advantage of people's ignorance and the desire to be helpful.

Simples steps to overcome these problems include:

• Educate users about common passwords and tell them to avoid them
• Educate users about not using personal information (which often is easily guessed) as passwords
• Educate users about not giving their password to anyone, even if they claim to be the IT/Technical support department
• Educate users about how to remember passwords without writing them down
• Enforce a policy of password expiration
• Educate users to not provide system information to anyone. This information includes IP addresses, host names, software installed, etc. Again, don't provide this to anyone over the phone, even if they claim to be from the IT department

It is all to common for people to fall pray to the social engineering tactics of those who would want into a system. Educating yourself and your users is really the only defense against such tactics.

On January 24, 2003 GMT, the SQL Slammer worm hit the INTERNET hard. There were two factors of human stupidity, laziness and/or arrogance that caused this to be a problem. They are:

• The bug was known and a fix available for months. People just didn't install it.
• MS SQL is a database... why was it open to the world?

Every computer, personal or not, should have at least a simple firewall protecting it these days. You should only accept connections to services that belong being connected to. Generally, databases and other similar services should not be connected directly to from the outside world. Had people followed this rule and had decent firewalls setup, Slammer would not have been able to spread.

So, what is a firewall? A firewall is a program that resides on a router or other dedicated system (sometimes a firewall can be a black box, which you would view as configurable hardware). This program can be told what kinds of traffic (based on connection state, where the connection was initiated, what port numbers and protocol type [TCP,UDP,ICMP,etc.]) can and cannot pass. They are not fool proof. Most of the time they don't understand the upper-level protocols such as FTP, HTTP, SMTP, etc. They can be used in conjunction with smart proxies which can and do filter those appropriately.

So, if I install a firewall, will I be perfectly safe? No, but it can go a long way to keep people out of your system. It can help keep viruses out, personal/corporate data in, and definitely help stop worms such as the SQL Slammer. Linux, and most Unix-like Operating Systems, have built in firewalling code that can make very advanced firewalls. For Windows and Macintosh, there are free and commercially available firewalls. I really can't recommend one as all of my networks have Linux routers and I use those features available for firewalling.

Many people consider spam to be just another annoyance. Some less than knowledgeable people think I am crazy listing a virus scanner and a spam filter under security tools. More and more viruses and worms are being used to spread spam and spam to spread viruses and worms.

These together are used to perpetrate fraud on the netizens of the world. They are often also used to help with or do the actual social engineering. They are a danger to private and public networks and systems. Please, if you don't use the antivirus or spam filter software I recommend above, use something!

I hear it all the time, even from so called experts such as those on TechTV's "The Screen Savers": "You don't need a firewall on your personal computer. The bad guys are only out to get the companies, etc." If this is the case, why, during the little time after my parents switched to a high speed connection to the time I was able to setup the firewall to work in that situation, were people infecting the open shares (which they didn't know about, since Windows XP sets them up automatically) with viruses? Why were people trying to hack their systems?

The sad truth is, there are a so many different motives to hack and crack (the black hat hackers are known as crackers). They range from personal exploration, to problem causing, to possible personal/financial gain, etc. Many of the hacker community, along with the crackers, often warn home users, "Even if you don't care about who has your data, please secure your system." OK, so you have no personal information that you personally care to keep private. Through your negligence though, the crackers can hack your machine and use it to make trouble for others. In fact, taking over your machine is a great tactic for a hacker. They can hide their tracks by using your machine to launch an attack (whether a Denial of Service or an attempt to break into a machine). In some areas of the law, you allowing them, through negligence, to do so could amount to a civil or criminal matter. I believe it is only a matter of time before this is the case. Not only that, but people may think you are the one causing problems and you may have a hard time proving it wasn't you.

Legal matters aside, the INTERNET is a cooperative system. It only works if people work together. Please, for the benefit of others, secure your personal systems and networks. It will save you headaches and definitely will help others.

I do contract work when it is requested. My rates are reasonable and I do a thorough job. Please be aware, it is very difficult to guarantee that a system is secure. I do the best job possible to ensure that it is secure. However, simple changes in configuration can invalidate any statements concerning the security of a system. Also, without going through all the programming for a given system, all policies, etc., with a very fine-tooth comb it is impossible to say with 100% certainty that a system or network of systems is totally secure. However, to not do security audits because there can be no guarantees is not only foolhardy, it may constitute negligence that can be punished under civil or criminal code. What may be even more important, it may cost you, as an individual, your job or your company millions of dollars. Get a security audit done by someone!