Lab and Instrument Controller Security

Shared lab computers and instrument controllers are often configured in a way that makes them more vulnerable to attacks. Follow the recommendations on this page to limit risk of losing data or interruptions to research.

Backup data regularly
Backup all research and other important data regularly. Whether due to security problems, hardware failures, or mistakes, data can sometimes get lost. It is critical to have regular backups of research data to limit the risk of lost data. See Backup Guidelines for more details.

Backup device image
Lab computers and instrument controllers can involve complex configurations. When a lab computer is hacked and research data is destroyed, it is not sufficient to simply restore that data from backup. Often the computer itself will need to be rebuilt (this entails reinstalling the operating system and other necessary applications) to be sure any security problems are eliminated. Having a recent backup of the device image can make this process much simpler.

Update regularly
Malicious software often takes advantage of security flaws in common programs and operating systems. These flaws are routinely discovered and fixed in updates. To make sure your devices stay protected, keep the programs you use and the operating systems on your devices up to date when new updates become available.

No personal computing
To limit risks to important research data, use these systems only for their intended purpose. Do not use them for web browsing, email, or other functions.

Avoid insecure software
Unless absolutely required by the nature of the software running on the computer, do not install Java or Flash at all. Both are frequently subject to newly-discovered security vulnerabilities, which are typically exploited very rapidly.

Configure central logging
Make sure event logging is enabled. Linux systems should be logging to syslog by default, while Windows systems have a default event log policy that should be adjusted to capture more information. Consider centrally syslogging log data rather than relying solely on local logs, which can be lost or damaged if a hardware or security problem occurs. If you would like to send syslog data to IMSS log servers, please contact Information Security.

Designate a responsible person
Assign a person or group to be responsible for the management of this computer, and to act as a technical point of contact.

Register a static IP address
If the computer requires a network connection, request a static ip address for it from the IMSS Hostmaster. Provide a contact address for the responsible person or group, the location of the computer, and a suggested name.

Run a local software and/or hardware firewall
Make sure the local software firewall on the computer is enabled and properly configured. If a device does not support a software firewall, consider placing it behind a hardware firewall.

Restrict or disable remote access
If remote access to the lab computer is required, restrict it to campus only, and have off-campus users access the system by connecting to campus via the Caltech VPN first. Consider implementing Duo Security two-factor authentication for remote access. Ensure that any remote out-of-band management (IPMI, Active Management Technology, etc.) is not accessible remotely, preferably by assigning IPMI a non-routable, static IP address. There are numerous security concerns with these management technologies, many of which can lead to complete remote compromise of the affected system. For more information see: