SlideShare una empresa de Scribd logo
1 de 8
Descargar para leer sin conexión
Best Practices for Keeping
  Your Home Network Secure
The cyber threat is no longer limited to your        a cloud-based reputation service for leveraging
office network and work persona. Adversaries         corporate knowledge and history of malware
realize that targets are typically more vulnerable   and domains. Remember to enable any
when operating from their home network               automated update service within the suite to
since there is less rigor associated with the        keep signatures up-to-date.
protection, monitoring, and maintenance of
most home networks. Home users need to               3. Limit Use of the Administrator Account
maintain a basic level of network defense and        The first account that is typically created when
hygiene for both themselves and their family         configuring a Windows host for the first time
members when accessing the Internet.                 is the local administrator account. A non-
                                                     privileged “user” account should be created and

 Host-Based Recommendations                          used for the bulk of activities conducted on the
                                                     host to include web browsing, email access,
                                                     and document creation/editing. The privileged
Windows Host OS                                      administrator account should only be used to
                                                     install updates or software, and reconfigure the
1. Migrate to a Modern OS and Hardware               host as needed. Browsing the web or reading
   Platform                                          email as an administrator provides an effective
Both Windows 7 and Vista provide substantial         means for an adversary to gain persistence
security enhancements over earlier Windows           on your host. Within Vista or Windows 7,
workstation operating systems such as XP.            administrative credentials can be easily
Many of these security features are enabled by       accessed by right clicking on any application,
default and help prevent many common attack          selecting the “Run as Administrator” option,
vectors. In addition, implementing the 64-bit        then providing the appropriate administrator
mode of the OS on a 64-bit hardware platform         password. Furthermore, all passwords
substantially increases the effort of an adversary   associated with accounts on the host should
to attain a system or root compromise. For any       be at least 10 characters long and be complex
Windows-based OS, verify that Windows Update         (include upper case, lower case, numbers,
is configured to provide updates automatically.      special characters).

2. Install a Comprehensive Host-Based                4. Use a Web Browser with Sandboxing
   Security Suite                                       Capabilities
A comprehensive host-based security suite            Several currently available third party web
provides support for anti-virus, anti-phishing,      browsers now provide a sandboxing capability
safe browsing, Host-based Intrusion Prevention       that can contain malware during execution
System (HIPS), and firewall capabilities. These      thereby insulating the host operating system
services work collaboratively to provide a           from exploitation. Most of these web browsers
layered defense against most common threats.         also provide a feature to auto-update or at
Several security suites today provide access to      least notify you when updates are available for


              The Information Assurance Mission at NSA


April 2011                                                                                   Page 1 of 8
download. Also, promising approaches that                         products, a link is conveniently provided in the
move the web browser into a virtual machine                       report to download the latest update or patch.
(VM) are starting to appear on the market but
are not yet ready for mass consumer use.                          8. Implement Full Disk Encryption (FDE)
                                                                     on Laptops
5. Update to a PDF Reader with Sandboxing                         Windows 7 Ultimate as well as Vista Enterprise
   Capabilities                                                   and Ultimate provide support for Bitlocker Full
A sandbox provides protection from malicious                      Disk Encryption (FDE) natively within the OS.
code that may be contained in a PDF file. PDF files               For other versions of Windows, third party FDE
have become a popular technique for delivering                    products are available that will help prevent
malicious executables. Several commercial and                     data disclosure in the event that a laptop is lost
open source PDF readers now provide sandboxing                    or stolen.
capabilities as well as block execution of
embedded URLs (website links) by default.                         Apple Host OS

6. Migrate to Microsoft Office 2007 or Later                      1. Maintain an Up-to-Date OS
If using Microsoft Office products for email,                     Configure any Mac OS X system to
word processing, spreadsheets, presentations, or                  automatically check for updates. When notified
database applications, upgrade to Office 2007 or                  of an available update, provide privileged
later and its XML format for storing documents.                   credentials in order to install the update. The
By default, the XML file formats do not execute                   Apple iPad should be kept up-to-date as well
embedded code when opened within Office                           and requires a physical connection (e.g., USB)
2007 or later products thereby protecting the                     to a host running iTunes in order to receive its
user from malicious code delivered via Office                     updates. A good practice is to connect the iPad
documents. The Office 2010 suite also provides                    to an iTunes host at least once a month or just
“Protected View” mode which opens documents                       prior to any travel where the iPad will be used.
in read-only mode thereby potentially
minimizing the impact of a malicious file.                        2. Keep Third Party Application Software
                                                                     Up-to-Date
7. Keep Application Software Up-to-Date                           Periodically check key applications for updates.
Most home users do not have the time or                           Several of these third party applications may
patience to verify that all applications installed                have options to automatically check for updates.
on their workstation are fully patched and up-                    Legacy applications may require some research
to-date. Since many applications do not have an                   to determine their status.
automated update feature, attackers frequently
target these applications as a means to exploit                   3. Limit Use of the Privileged
a targeted host. Several products exist in the                       (Administrator Account)
market which will quickly survey the software                     The first account that is typically created when
installed on your workstation and indicate                        configuring a Mac host for the first time is the
which applications have reached end-of-life,                      local administrator account. A non-privileged
require a patch, or need updating. For some                       “user” account should be created and used for



Best Practices for Keeping Your Home Network Secure, April 2011                                             Page 2 of 7
the bulk of activities conducted on the host                      home user with the network infrastructure to
to include web browsing, email access, and                        support multiple systems as well as wireless
document creation/editing. The privileged                         networking and IP telephony services (b).
administrator account should only be used to
install updates or software, and reconfigure the
host as needed. Browsing the web or reading
email as an administrator provides an effective
means for an adversary to gain persistence on
your host.

4. Enable Data Protection on the iPad
The data protection feature on the iPad
enhances hardware encryption by protecting
the hardware encryption keys with a pass code.
The pass code can be enabled by selecting
“Settings,” then “General”, and finally “Pass
code.” After the pass code is set, the “Data
protection is enabled” icon should be visible                               Figure 1: Typical SOHO Configuration
at the bottom of the screen. For iPads that
have been upgraded from iOS 3, follow the
instructions at:                                                  2. Implement WPA2 on Wireless Network
http://support.apple.com/kb/HT4175.                               The wireless network should be protected using
                                                                  Wi-Fi Protected Access 2 (WPA2) instead of
5. Implement FileVault on Mac OS Laptops                          WEP (Wired Equivalent Privacy). Using current
In the event that a Mac laptop is lost or stolen,                 technology, WEP encryption can be broken in
FileVault (available in Mac OS X, v10.3 and                       minutes (if not seconds) by an attacker, which
later) can be used to encrypt the contents of a                   afterwards allows the attacker to view all traffic
user’s home directory to prevent data loss.                       passed on the wireless network. It is important
                                                                  to note that older client systems and access
                                                                  points may not support WPA2 and will require a
    Network Recommendations                                       software or hardware upgrade. When researching
                                                                  for suitable replacement devices, ensure that the
1. Home Network Design                                            device is WPA2-Personal certified.
The Internet Service Provider (ISP) may provide
a cable modem with routing and wireless                           3. Limit Administration to Internal Network
capabilities as part of the consumer contract.                    Administration of home networking devices
To maximize the home user’s administration                        should be from the internal-facing network.
control over the routing and wireless device,                     When given the option, external remote
deploy a separate personally-owned routing                        administration should be disabled for network
device (a) that connects to the ISP provided                      devices. Disabling remote administration
router/cable modem. Figure 1 depicts a typical                    prevents an attacker from changing and
home network configuration that provides the                      possibly compromising the home network.



Best Practices for Keeping Your Home Network Secure, April 2011                                                    Page 3 of 7
4. Implement an Alternate DNS Provider                               b. Regardless of the underlying network, users can setup
The Domain Name Servers (DNS) provided                               tunnels to a trusted VPN service provider. This option can
by the ISP typically don’t provide enhanced                          protect all traffic between the mobile device and the VPN
security services such as the blocking and                           gateway from most malicious activities such as monitoring.
blacklisting of dangerous and infected web                           c. If using a hotspot is the only option for accessing
sites. Consider using either open source or                          the Internet, then limit activities to web browsing. Avoid
commercial DNS providers to enhance web                              accessing services that require user credentials or entering
browsing security.                                                   personal information.

5. Implement Strong Passwords on all                              Whenever possible, maintain physical control
   Network Devices                                                over mobile devices while traveling. All portable
In addition to a strong and complex password                      devices are subject to physical attack given
on the wireless access point, a strong password                   access and sufficient time. If a laptop must
needs to be implemented on any network                            be left behind in a hotel room, the laptop
device that can be managed via a web interface.                   should be powered down and have Full Disk
For instance, many network printers on the                        Encryption enabled as discussed above.
market today can be managed via a web
interface to configure services, determine job                    2. Exchanging Home and Work Content
status, and enable features such as email alerts                  Government maintained hosts are generally
and logging.                                                      configured more securely and also have an
                                                                  enterprise infrastructure in place (email filtering,

         Operational Security                                     web content filtering, IDS, etc. ) for preventing
                                                                  and detecting malicious content. Since many
      (OPSEC)/Internet Behavior                                   users do not exercise the same level of security
          Recommendations                                         on their home systems (e.g., limiting the use of
                                                                  administrative credentials), home systems are
1. Traveling with Personal Mobile Devices                         generally easier to compromise. The forwarding
Many establishments (e.g., coffee shops, hotels,                  of content (e.g., emails or documents) from
airports, etc.) offer wireless hotspots or kiosks                 home systems to work systems either via email
for customers to access the Internet. Since                       or removable media may put work systems
the underlying infrastructure is unknown                          at an increased risk of compromise. For those
and security is often lax, these hotspots and                     interactions that are solicited and expected, have
kiosks are susceptible to adversarial activity.                   the contact send any work-related correspondence
The following options are recommended for                         to your work email account.
those with a need to access the Internet while
traveling:                                                        3. Storage of Personal Information
    a. Mobile devices (e.g., laptops, smart phones) should           on the Internet
    utilize the cellular network (e.g., mobile Wi-Fi, 3G or 4G    Personal information which has traditionally
    services) to connect to the Internet instead of wireless      been stored on a local computing device
    hotspots. This option often requires a service plan with a    is steadily moving to the Internet cloud. 
    cellular provider.                                            Examples of information typically stored in the
                                                                  cloud include webmail, financial information,


Best Practices for Keeping Your Home Network Secure, April 2011                                                      Page 4 of 7
and personal information posted to social                         settings available from your social network
networking sites.  Information in the cloud                       provider to determine if new features are
is difficult to remove and governed by the                        available to protect your personal information.
privacy policies and security of the hosting site. 
Individuals who post information to these web-                    5. Enable the Use of SSL Encryption
based services should ask themselves “Who will                    Application encryption (also called SSL or TLS)
have access to the information I am posting?”                     over the Internet protects the confidentiality of
and “What controls do I have over how this                        sensitive information while in transit. SSL also
information is stored and displayed?” before                      prevents people who can see your traffic (for
proceeding. Internet users should also be aware                   example at a public WiFi hotspot) from being able
of personal information already published                         to impersonate you when logging into web based
online by periodically searching for their                        applications (webmail, social networking sites,
personal information using popular Internet                       etc.). Whenever possible, web-based applications
search engines.                                                   such as browsers should be set to force the use
                                                                  of SSL. Financial institutions rely heavily on the
4. Use of Social Networking Sites                                 use of SSL to protect financial transactions while
Social networking sites are an incredibly                         in transit. Many popular applications such as
convenient and efficient means for sharing                        Facebook and Gmail have options to force all
personal information with family and friends.                     communication to use SSL by default. Most web
This convenience also brings some level of                        browsers provide some indication that SSL is
risk; therefore, social network users should                      enabled, typically a lock symbol either next to
be cognizant of what personal data is shared                      the URL for the web page or within the status bar
and who has access to this data. Users should                     along the bottom of the browser.
think twice about posting information such as
address, phone number, place of employment,                       6. Email Best Practices
and other personal information that can be                        Personal email accounts, either web-based or
used to target or harass you. If available,                       local to your host, are common attack targets.
consider limiting access to posted personal                       The following recommendations will help
data to “friends only” and attempt to verify                      reduce your exposure to email-based threats:
any new sharing requests either by phone or                          a. In order to limit exposure both at work and home,
in person. When receiving content (such as                           consider using different usernames for home and work
third-party applications) from friends or new                        email addresses. Unique usernames make it more difficult
acquaintances, be wary that many recent attacks                      for someone targeting your work account to also target you
have leveraged the ease with which content is                        via your personal accounts.
generally accepted within the social network                         b. Setting out-of-office messages on personal email
community. This content appears to provide                           accounts is not recommended, as this can confirm to
a new capability, when in fact there is some
                                                                     spammers that your email address is legitimate and also
malicious component that is rarely apparent to
                                                                     provide awareness to unknown parties as to your activities.
the typical user. Also, several social networking
                                                                     c. Always use secure email protocols if possible when
sites now provide a feature to opt-out of
                                                                     accessing email, particularly if using a wireless network.
exposing your personal information to Internet
search engines. A good recommendation is to                          Secure email protocols include Secure IMAP and Secure
periodically review the security policies and                        POP3. These protocols, or “always use SSL” for web-based


Best Practices for Keeping Your Home Network Secure, April 2011                                                      Page 5 of 7
email, can be configured in the options for most email          8. Photo/GPS Integration
    clients. Secure email prevents others from reading email        Many phones and some new point-and-shoot
    while in transit between your computer and the mail server.     cameras embed the GPS coordinates for a
    d. Unsolicited emails containing attachments or links           particular location within a photo when taken.
    should be considered suspicious. If the identity of the         Care should be taken to limit exposure of
    sender can’t be verified, consider deleting the email without   these photos on the Internet, ensure these
    opening. For those emails with embedded links, open your        photos can only be seen by a trusted audience,
    browser and navigate to the web site either by its well-        or use a third-party tool to remove the
    known web address or search for the site using a common         coordinates before uploading to the Internet.
    search engine. Be wary of an email requesting personal          These coordinates can be used to profile the
    information such as a password or social security number.       habits and places frequented for a particular
    Any web service that you currently conduct business with        individual, as well as provide near-real time
    should already have this information.                           notifications of an individual’s location when
                                                                    uploaded directly from a smart phone. Some
                                                                    services such as Facebook automatically strip
7. Password Management
                                                                    out the GPS coordinates in order to protect the
Ensure that passwords and challenge responses
                                                                    privacy of their users.
are properly protected since they provide
access to large amounts of personal and
financial information. Passwords should be                                    Enhanced Protection
strong, unique for each account, and difficult to
guess. A strong password should be at least 10                                 Recommendations
characters long and contain multiple character
                                                                    The following recommendations require
types (lowercase, uppercase, numbers, and
                                                                    a higher level of administrative skills to
special characters). A unique password should
                                                                    implement and maintain on home networks
be used for each account to prevent an attacker
                                                                    than the previous recommendations. These
from gaining access to multiple accounts if
                                                                    recommendations provide additional layers of
any one password is compromised. Disable
                                                                    security but may impact your web browsing
the feature that allows programs to remember
                                                                    experience or require some iteration to adjust
passwords and automatically enter them
                                                                    settings to the appropriate thresholds.
when required. Additionally, many online sites
make use of password recovery or challenge
questions. The answers to these questions                           1. Enhanced Wireless Router Configuration
should be something that no one else would                             Settings
know or find from Internet searches or public                       Additional protections can be applied to the
records. To prevent an attacker from leveraging                     wireless network to limit access. The following
personal information about yourself to answer                       security mechanisms do not protect against
challenge questions, consider providing a false                     the experienced attacker, but are very effective
answer to a fact-based question, assuming the                       against a less experienced attacker.
response is unique and memorable.                                      a. MAC address or hardware address filtering enables the
                                                                       wireless access point to only allow authorized systems to
                                                                       associate with the wireless network. The hardware address




Best Practices for Keeping Your Home Network Secure, April 2011                                                       Page 6 of 7
for all authorized hosts must be configured on the wireless
    access point.
                                                                   Additional Published Guidance
    b. Limiting the transmit power of the wireless access          Social Networking
    point will reduce the area of operation (signal strength)      http://www.nsa.gov/ia/_files/factsheets/I73-
    of the wireless network. This capability curtails the home     021R-2009.pdf
    wireless network from extending beyond the borders of a
    home (e.g., parking lot or adjacent building).                 Mitigation Monday #2 – Defense Against Drive
    c. SSID cloaking is a means to hide the SSID, the              By Downloads
    name of a wireless network, from the wireless medium.          http://www.nsa.gov/ia/_files/factsheets/I733-
    This technique is often used to prevent the detection of       011R-2009.pdf
    wireless networks by war drivers. It is important to note
    that enabling this capability prevents client systems from     Mitigation Monday – Defense Against Malicious
    finding the wireless network. Instead, the wireless settings   E-mail Attachments
    must be manually configured on all client systems.             http://www.nsa.gov/ia/_files/factsheets/
    d. Reducing the dynamic IP address pool or configuring         MitigationMonday.pdf
    static IP addresses is another mechanism to limit access
    to the wireless network. This provides an additional layer     Mac OSX 10.6 Hardening Tips
    of protection to MAC address filtering and prevents rogue      http://www.nsa.gov/ia/_files/factsheets/
    systems from connecting to the wireless network.               macosx_10_6_hardeningtips.pdf

                                                                   Data Execution Prevention
2. Disable Scripting Within the Web Browser
                                                                   http://www.nsa.gov/ia/_files/factsheets/I733-
If using third party web browsers such as Firefox
                                                                   TR-043R-2007.pdf
or Chrome, use NoScript (Firefox) or NotScript
(Chrome) to prevent the execution of scripts
from untrusted domains. Disabling scripting
can cause usability issues, but is an effective
technique to reduce web bourne attacks.

3. Enable Data Execution Prevention (DEP)
   for all Programs
By default, DEP is only enabled for essential
Windows programs and services. Some third
party or legacy applications may not be
compatible with DEP, and could possibly crash
when run with DEP enabled. Any program that
requires DEP to execute can be manually added
to the DEP exemption list, but this requires
some technical expertise.




Best Practices for Keeping Your Home Network Secure, April 2011                                            Page 7 of 7
The Information Assurance Mission at NSA


                               SNAC DoD, 9800 Savage Rd. Ft. Meade, MD 20755-6704   www.nsa.gov/snac
                                                      SNAC@radium.ncsc.mil

NSA Creative Imaging – 48039

Más contenido relacionado

La actualidad más candente

Presentatie McAfee: Optimale Endpoint Protection 26062015
Presentatie McAfee: Optimale Endpoint Protection 26062015Presentatie McAfee: Optimale Endpoint Protection 26062015
Presentatie McAfee: Optimale Endpoint Protection 26062015SLBdiensten
 
Desktop and server securityse
Desktop and server securityseDesktop and server securityse
Desktop and server securityseAppin Ara
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.Yury Chemerkin
 
IT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 13 Exam AnswersIT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 13 Exam AnswersITExamAnswers.net
 
Kaspersky Anti-Virus for Macintosh - Technical Presentation
Kaspersky Anti-Virus for Macintosh - Technical PresentationKaspersky Anti-Virus for Macintosh - Technical Presentation
Kaspersky Anti-Virus for Macintosh - Technical Presentationquestar
 
Windows 10 KKK
Windows 10 KKKWindows 10 KKK
Windows 10 KKKPrimend
 
MID_Complex_Network_Security_Alex_de_Graaf_EN
MID_Complex_Network_Security_Alex_de_Graaf_ENMID_Complex_Network_Security_Alex_de_Graaf_EN
MID_Complex_Network_Security_Alex_de_Graaf_ENVladyslav Radetsky
 
Anti theft file protection
Anti theft file protectionAnti theft file protection
Anti theft file protectionDaniel Aparicio
 
Bangalore IT Pro Full Day Event on Intune and SCCM
Bangalore IT Pro Full Day Event on Intune and SCCMBangalore IT Pro Full Day Event on Intune and SCCM
Bangalore IT Pro Full Day Event on Intune and SCCMAnoop Nair
 
IBM Traveler and Verse: Device Security and Administration Overview
IBM Traveler and Verse: Device Security and Administration OverviewIBM Traveler and Verse: Device Security and Administration Overview
IBM Traveler and Verse: Device Security and Administration OverviewDevin Olson
 
Windows Server 2008 Security Enhancements
Windows Server 2008 Security EnhancementsWindows Server 2008 Security Enhancements
Windows Server 2008 Security EnhancementsPresentologics
 
ITE v5.0 - Chapter 8
ITE v5.0 - Chapter 8ITE v5.0 - Chapter 8
ITE v5.0 - Chapter 8Irsandi Hasan
 
Android Security Maximized by Samsung KNOX
Android Security Maximized by Samsung KNOXAndroid Security Maximized by Samsung KNOX
Android Security Maximized by Samsung KNOXSamsung Biz Mobile
 

La actualidad más candente (18)

Presentatie McAfee: Optimale Endpoint Protection 26062015
Presentatie McAfee: Optimale Endpoint Protection 26062015Presentatie McAfee: Optimale Endpoint Protection 26062015
Presentatie McAfee: Optimale Endpoint Protection 26062015
 
Desktop and server securityse
Desktop and server securityseDesktop and server securityse
Desktop and server securityse
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.
 
unit5final
unit5finalunit5final
unit5final
 
Desktop Security 8 9 07
Desktop Security 8 9 07Desktop Security 8 9 07
Desktop Security 8 9 07
 
IT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 13 Exam AnswersIT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
 
License
LicenseLicense
License
 
Kaspersky Anti-Virus for Macintosh - Technical Presentation
Kaspersky Anti-Virus for Macintosh - Technical PresentationKaspersky Anti-Virus for Macintosh - Technical Presentation
Kaspersky Anti-Virus for Macintosh - Technical Presentation
 
Windows 10 KKK
Windows 10 KKKWindows 10 KKK
Windows 10 KKK
 
MID_Complex_Network_Security_Alex_de_Graaf_EN
MID_Complex_Network_Security_Alex_de_Graaf_ENMID_Complex_Network_Security_Alex_de_Graaf_EN
MID_Complex_Network_Security_Alex_de_Graaf_EN
 
Anti theft file protection
Anti theft file protectionAnti theft file protection
Anti theft file protection
 
Bangalore IT Pro Full Day Event on Intune and SCCM
Bangalore IT Pro Full Day Event on Intune and SCCMBangalore IT Pro Full Day Event on Intune and SCCM
Bangalore IT Pro Full Day Event on Intune and SCCM
 
Emc lifeline
Emc lifelineEmc lifeline
Emc lifeline
 
Windows 7 Security
Windows 7 SecurityWindows 7 Security
Windows 7 Security
 
IBM Traveler and Verse: Device Security and Administration Overview
IBM Traveler and Verse: Device Security and Administration OverviewIBM Traveler and Verse: Device Security and Administration Overview
IBM Traveler and Verse: Device Security and Administration Overview
 
Windows Server 2008 Security Enhancements
Windows Server 2008 Security EnhancementsWindows Server 2008 Security Enhancements
Windows Server 2008 Security Enhancements
 
ITE v5.0 - Chapter 8
ITE v5.0 - Chapter 8ITE v5.0 - Chapter 8
ITE v5.0 - Chapter 8
 
Android Security Maximized by Samsung KNOX
Android Security Maximized by Samsung KNOXAndroid Security Maximized by Samsung KNOX
Android Security Maximized by Samsung KNOX
 

Destacado (10)

Oct 2010 flightlines
Oct 2010 flightlinesOct 2010 flightlines
Oct 2010 flightlines
 
Aviation spouse day may 2012 flier
Aviation spouse day may 2012 flierAviation spouse day may 2012 flier
Aviation spouse day may 2012 flier
 
Christmas hours (2010)
Christmas hours (2010)Christmas hours (2010)
Christmas hours (2010)
 
Community News Notes (24 Sep 2010)
Community News Notes (24 Sep 2010)Community News Notes (24 Sep 2010)
Community News Notes (24 Sep 2010)
 
10 feb 2012
10 feb 201210 feb 2012
10 feb 2012
 
9 sept 2011
9 sept 20119 sept 2011
9 sept 2011
 
13 may 2011
13 may 201113 may 2011
13 may 2011
 
Salute to the troops
Salute to the troopsSalute to the troops
Salute to the troops
 
Salute to the troops
Salute to the troopsSalute to the troops
Salute to the troops
 
Mod facebook places
Mod facebook placesMod facebook places
Mod facebook places
 

Similar a Nsa best practices for keeping your home network secure

Slicksheet best practicesforkeepingyourhomenetworksecure
Slicksheet best practicesforkeepingyourhomenetworksecureSlicksheet best practicesforkeepingyourhomenetworksecure
Slicksheet best practicesforkeepingyourhomenetworksecureMargus Meigo
 
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012WordCamp Sydney
 
Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012Vlad Lasky
 
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner  (ver2)Study notes for CompTIA Certified Advanced Security Practitioner  (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)David Sweigert
 
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerStudy notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerDavid Sweigert
 
The Safest Way To Interact Online
The Safest Way To Interact OnlineThe Safest Way To Interact Online
The Safest Way To Interact Onlinepcsafe
 
Windows 7 security enhancements
Windows 7 security enhancementsWindows 7 security enhancements
Windows 7 security enhancementsNarenda Wicaksono
 
Windows 7 Security Enhancements
Windows 7 Security EnhancementsWindows 7 Security Enhancements
Windows 7 Security EnhancementsPresentologics
 
10 steps to protecting your computer to the world of internet.
10 steps to protecting your computer to the world of internet.10 steps to protecting your computer to the world of internet.
10 steps to protecting your computer to the world of internet.Khalil Jubran
 
18 windows phone 8.1 for the enterprise developer
18   windows phone 8.1 for the enterprise developer18   windows phone 8.1 for the enterprise developer
18 windows phone 8.1 for the enterprise developerWindowsPhoneRocks
 
Bus Tour Windows 7 Deck (Full)
Bus Tour   Windows 7 Deck (Full)Bus Tour   Windows 7 Deck (Full)
Bus Tour Windows 7 Deck (Full)Stephen L Rose
 
Desktop Alert Lite 4.0 Presentation
Desktop Alert Lite 4.0 PresentationDesktop Alert Lite 4.0 Presentation
Desktop Alert Lite 4.0 Presentationdesktopalert
 
Install Antivirus Software Week4.pdf
Install Antivirus Software Week4.pdfInstall Antivirus Software Week4.pdf
Install Antivirus Software Week4.pdfemersonrebibis1
 

Similar a Nsa best practices for keeping your home network secure (20)

Slicksheet best practicesforkeepingyourhomenetworksecure
Slicksheet best practicesforkeepingyourhomenetworksecureSlicksheet best practicesforkeepingyourhomenetworksecure
Slicksheet best practicesforkeepingyourhomenetworksecure
 
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012
 
Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012
 
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner  (ver2)Study notes for CompTIA Certified Advanced Security Practitioner  (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
 
Ransomware
RansomwareRansomware
Ransomware
 
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerStudy notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security Practitioner
 
Windows Phone 8 Security Deep Dive
Windows Phone 8 Security Deep DiveWindows Phone 8 Security Deep Dive
Windows Phone 8 Security Deep Dive
 
The Safest Way To Interact Online
The Safest Way To Interact OnlineThe Safest Way To Interact Online
The Safest Way To Interact Online
 
Windows 7 security enhancements
Windows 7 security enhancementsWindows 7 security enhancements
Windows 7 security enhancements
 
Windows 7 Security Enhancements
Windows 7 Security EnhancementsWindows 7 Security Enhancements
Windows 7 Security Enhancements
 
Installers
InstallersInstallers
Installers
 
10 steps to protecting your computer to the world of internet.
10 steps to protecting your computer to the world of internet.10 steps to protecting your computer to the world of internet.
10 steps to protecting your computer to the world of internet.
 
18 windows phone 8.1 for the enterprise developer
18   windows phone 8.1 for the enterprise developer18   windows phone 8.1 for the enterprise developer
18 windows phone 8.1 for the enterprise developer
 
Windows 7 Professional Features
Windows 7 Professional Features Windows 7 Professional Features
Windows 7 Professional Features
 
Canada Windows 7 Tour
Canada Windows 7 TourCanada Windows 7 Tour
Canada Windows 7 Tour
 
Presentation
PresentationPresentation
Presentation
 
Bus Tour Windows 7 Deck (Full)
Bus Tour   Windows 7 Deck (Full)Bus Tour   Windows 7 Deck (Full)
Bus Tour Windows 7 Deck (Full)
 
Desktop Alert Lite 4.0 Presentation
Desktop Alert Lite 4.0 PresentationDesktop Alert Lite 4.0 Presentation
Desktop Alert Lite 4.0 Presentation
 
Install Antivirus Software Week4.pdf
Install Antivirus Software Week4.pdfInstall Antivirus Software Week4.pdf
Install Antivirus Software Week4.pdf
 
Top Keys to create a secure website
Top Keys to create a secure websiteTop Keys to create a secure website
Top Keys to create a secure website
 

Más de Fort Rucker FRSA

Más de Fort Rucker FRSA (20)

Soldier Show-2012
Soldier Show-2012Soldier Show-2012
Soldier Show-2012
 
Spouses Club Apr flier
Spouses Club Apr flierSpouses Club Apr flier
Spouses Club Apr flier
 
ACS Calendar April 2012
ACS Calendar April 2012ACS Calendar April 2012
ACS Calendar April 2012
 
Administrative Professional Day 2012
Administrative Professional Day 2012Administrative Professional Day 2012
Administrative Professional Day 2012
 
Bingo Rave
Bingo RaveBingo Rave
Bingo Rave
 
Dueling Pianos 14 April 2012
Dueling Pianos 14 April 2012Dueling Pianos 14 April 2012
Dueling Pianos 14 April 2012
 
Soldier show-2012
Soldier show-2012Soldier show-2012
Soldier show-2012
 
Spouses club apr flyer[3]
Spouses club apr flyer[3]Spouses club apr flyer[3]
Spouses club apr flyer[3]
 
Women's health 2012[1]
Women's health 2012[1]Women's health 2012[1]
Women's health 2012[1]
 
Sfp onesheet fort rucker mar2012
Sfp onesheet fort rucker mar2012Sfp onesheet fort rucker mar2012
Sfp onesheet fort rucker mar2012
 
24 feb 2012
24 feb 201224 feb 2012
24 feb 2012
 
Deployed spouse dinner flyer (feb 2012)
Deployed spouse dinner flyer (feb 2012)Deployed spouse dinner flyer (feb 2012)
Deployed spouse dinner flyer (feb 2012)
 
Spector soft internet lingo for parents
Spector soft internet lingo for parentsSpector soft internet lingo for parents
Spector soft internet lingo for parents
 
2012 aba symposium flyer
2012 aba symposium flyer2012 aba symposium flyer
2012 aba symposium flyer
 
All flight social march 2012
All flight social march 2012All flight social march 2012
All flight social march 2012
 
Dinner special-with-dueling-pianos2
Dinner special-with-dueling-pianos2Dinner special-with-dueling-pianos2
Dinner special-with-dueling-pianos2
 
3 feb 2012
3 feb 20123 feb 2012
3 feb 2012
 
Save the date_tci_enterprise_al
Save the date_tci_enterprise_alSave the date_tci_enterprise_al
Save the date_tci_enterprise_al
 
February
FebruaryFebruary
February
 
Feb calendar (2012)
Feb calendar (2012)Feb calendar (2012)
Feb calendar (2012)
 

Último

VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...Daniel Zivkovic
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
UiPath Studio Web workshop series - Day 5
UiPath Studio Web workshop series - Day 5UiPath Studio Web workshop series - Day 5
UiPath Studio Web workshop series - Day 5DianaGray10
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdfPaige Cruz
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimizationarrow10202532yuvraj
 

Último (20)

VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
UiPath Studio Web workshop series - Day 5
UiPath Studio Web workshop series - Day 5UiPath Studio Web workshop series - Day 5
UiPath Studio Web workshop series - Day 5
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization
 

Nsa best practices for keeping your home network secure

  • 1. Best Practices for Keeping Your Home Network Secure The cyber threat is no longer limited to your a cloud-based reputation service for leveraging office network and work persona. Adversaries corporate knowledge and history of malware realize that targets are typically more vulnerable and domains. Remember to enable any when operating from their home network automated update service within the suite to since there is less rigor associated with the keep signatures up-to-date. protection, monitoring, and maintenance of most home networks. Home users need to 3. Limit Use of the Administrator Account maintain a basic level of network defense and The first account that is typically created when hygiene for both themselves and their family configuring a Windows host for the first time members when accessing the Internet. is the local administrator account. A non- privileged “user” account should be created and Host-Based Recommendations used for the bulk of activities conducted on the host to include web browsing, email access, and document creation/editing. The privileged Windows Host OS administrator account should only be used to install updates or software, and reconfigure the 1. Migrate to a Modern OS and Hardware host as needed. Browsing the web or reading Platform email as an administrator provides an effective Both Windows 7 and Vista provide substantial means for an adversary to gain persistence security enhancements over earlier Windows on your host. Within Vista or Windows 7, workstation operating systems such as XP. administrative credentials can be easily Many of these security features are enabled by accessed by right clicking on any application, default and help prevent many common attack selecting the “Run as Administrator” option, vectors. In addition, implementing the 64-bit then providing the appropriate administrator mode of the OS on a 64-bit hardware platform password. Furthermore, all passwords substantially increases the effort of an adversary associated with accounts on the host should to attain a system or root compromise. For any be at least 10 characters long and be complex Windows-based OS, verify that Windows Update (include upper case, lower case, numbers, is configured to provide updates automatically. special characters). 2. Install a Comprehensive Host-Based 4. Use a Web Browser with Sandboxing Security Suite Capabilities A comprehensive host-based security suite Several currently available third party web provides support for anti-virus, anti-phishing, browsers now provide a sandboxing capability safe browsing, Host-based Intrusion Prevention that can contain malware during execution System (HIPS), and firewall capabilities. These thereby insulating the host operating system services work collaboratively to provide a from exploitation. Most of these web browsers layered defense against most common threats. also provide a feature to auto-update or at Several security suites today provide access to least notify you when updates are available for The Information Assurance Mission at NSA April 2011 Page 1 of 8
  • 2. download. Also, promising approaches that products, a link is conveniently provided in the move the web browser into a virtual machine report to download the latest update or patch. (VM) are starting to appear on the market but are not yet ready for mass consumer use. 8. Implement Full Disk Encryption (FDE) on Laptops 5. Update to a PDF Reader with Sandboxing Windows 7 Ultimate as well as Vista Enterprise Capabilities and Ultimate provide support for Bitlocker Full A sandbox provides protection from malicious Disk Encryption (FDE) natively within the OS. code that may be contained in a PDF file. PDF files For other versions of Windows, third party FDE have become a popular technique for delivering products are available that will help prevent malicious executables. Several commercial and data disclosure in the event that a laptop is lost open source PDF readers now provide sandboxing or stolen. capabilities as well as block execution of embedded URLs (website links) by default. Apple Host OS 6. Migrate to Microsoft Office 2007 or Later 1. Maintain an Up-to-Date OS If using Microsoft Office products for email, Configure any Mac OS X system to word processing, spreadsheets, presentations, or automatically check for updates. When notified database applications, upgrade to Office 2007 or of an available update, provide privileged later and its XML format for storing documents. credentials in order to install the update. The By default, the XML file formats do not execute Apple iPad should be kept up-to-date as well embedded code when opened within Office and requires a physical connection (e.g., USB) 2007 or later products thereby protecting the to a host running iTunes in order to receive its user from malicious code delivered via Office updates. A good practice is to connect the iPad documents. The Office 2010 suite also provides to an iTunes host at least once a month or just “Protected View” mode which opens documents prior to any travel where the iPad will be used. in read-only mode thereby potentially minimizing the impact of a malicious file. 2. Keep Third Party Application Software Up-to-Date 7. Keep Application Software Up-to-Date Periodically check key applications for updates. Most home users do not have the time or Several of these third party applications may patience to verify that all applications installed have options to automatically check for updates. on their workstation are fully patched and up- Legacy applications may require some research to-date. Since many applications do not have an to determine their status. automated update feature, attackers frequently target these applications as a means to exploit 3. Limit Use of the Privileged a targeted host. Several products exist in the (Administrator Account) market which will quickly survey the software The first account that is typically created when installed on your workstation and indicate configuring a Mac host for the first time is the which applications have reached end-of-life, local administrator account. A non-privileged require a patch, or need updating. For some “user” account should be created and used for Best Practices for Keeping Your Home Network Secure, April 2011 Page 2 of 7
  • 3. the bulk of activities conducted on the host home user with the network infrastructure to to include web browsing, email access, and support multiple systems as well as wireless document creation/editing. The privileged networking and IP telephony services (b). administrator account should only be used to install updates or software, and reconfigure the host as needed. Browsing the web or reading email as an administrator provides an effective means for an adversary to gain persistence on your host. 4. Enable Data Protection on the iPad The data protection feature on the iPad enhances hardware encryption by protecting the hardware encryption keys with a pass code. The pass code can be enabled by selecting “Settings,” then “General”, and finally “Pass code.” After the pass code is set, the “Data protection is enabled” icon should be visible Figure 1: Typical SOHO Configuration at the bottom of the screen. For iPads that have been upgraded from iOS 3, follow the instructions at: 2. Implement WPA2 on Wireless Network http://support.apple.com/kb/HT4175. The wireless network should be protected using Wi-Fi Protected Access 2 (WPA2) instead of 5. Implement FileVault on Mac OS Laptops WEP (Wired Equivalent Privacy). Using current In the event that a Mac laptop is lost or stolen, technology, WEP encryption can be broken in FileVault (available in Mac OS X, v10.3 and minutes (if not seconds) by an attacker, which later) can be used to encrypt the contents of a afterwards allows the attacker to view all traffic user’s home directory to prevent data loss. passed on the wireless network. It is important to note that older client systems and access points may not support WPA2 and will require a Network Recommendations software or hardware upgrade. When researching for suitable replacement devices, ensure that the 1. Home Network Design device is WPA2-Personal certified. The Internet Service Provider (ISP) may provide a cable modem with routing and wireless 3. Limit Administration to Internal Network capabilities as part of the consumer contract. Administration of home networking devices To maximize the home user’s administration should be from the internal-facing network. control over the routing and wireless device, When given the option, external remote deploy a separate personally-owned routing administration should be disabled for network device (a) that connects to the ISP provided devices. Disabling remote administration router/cable modem. Figure 1 depicts a typical prevents an attacker from changing and home network configuration that provides the possibly compromising the home network. Best Practices for Keeping Your Home Network Secure, April 2011 Page 3 of 7
  • 4. 4. Implement an Alternate DNS Provider b. Regardless of the underlying network, users can setup The Domain Name Servers (DNS) provided tunnels to a trusted VPN service provider. This option can by the ISP typically don’t provide enhanced protect all traffic between the mobile device and the VPN security services such as the blocking and gateway from most malicious activities such as monitoring. blacklisting of dangerous and infected web c. If using a hotspot is the only option for accessing sites. Consider using either open source or the Internet, then limit activities to web browsing. Avoid commercial DNS providers to enhance web accessing services that require user credentials or entering browsing security. personal information. 5. Implement Strong Passwords on all Whenever possible, maintain physical control Network Devices over mobile devices while traveling. All portable In addition to a strong and complex password devices are subject to physical attack given on the wireless access point, a strong password access and sufficient time. If a laptop must needs to be implemented on any network be left behind in a hotel room, the laptop device that can be managed via a web interface. should be powered down and have Full Disk For instance, many network printers on the Encryption enabled as discussed above. market today can be managed via a web interface to configure services, determine job 2. Exchanging Home and Work Content status, and enable features such as email alerts Government maintained hosts are generally and logging. configured more securely and also have an enterprise infrastructure in place (email filtering, Operational Security web content filtering, IDS, etc. ) for preventing and detecting malicious content. Since many (OPSEC)/Internet Behavior users do not exercise the same level of security Recommendations on their home systems (e.g., limiting the use of administrative credentials), home systems are 1. Traveling with Personal Mobile Devices generally easier to compromise. The forwarding Many establishments (e.g., coffee shops, hotels, of content (e.g., emails or documents) from airports, etc.) offer wireless hotspots or kiosks home systems to work systems either via email for customers to access the Internet. Since or removable media may put work systems the underlying infrastructure is unknown at an increased risk of compromise. For those and security is often lax, these hotspots and interactions that are solicited and expected, have kiosks are susceptible to adversarial activity. the contact send any work-related correspondence The following options are recommended for to your work email account. those with a need to access the Internet while traveling: 3. Storage of Personal Information a. Mobile devices (e.g., laptops, smart phones) should on the Internet utilize the cellular network (e.g., mobile Wi-Fi, 3G or 4G Personal information which has traditionally services) to connect to the Internet instead of wireless been stored on a local computing device hotspots. This option often requires a service plan with a is steadily moving to the Internet cloud.  cellular provider. Examples of information typically stored in the cloud include webmail, financial information, Best Practices for Keeping Your Home Network Secure, April 2011 Page 4 of 7
  • 5. and personal information posted to social settings available from your social network networking sites.  Information in the cloud provider to determine if new features are is difficult to remove and governed by the available to protect your personal information. privacy policies and security of the hosting site.  Individuals who post information to these web- 5. Enable the Use of SSL Encryption based services should ask themselves “Who will Application encryption (also called SSL or TLS) have access to the information I am posting?” over the Internet protects the confidentiality of and “What controls do I have over how this sensitive information while in transit. SSL also information is stored and displayed?” before prevents people who can see your traffic (for proceeding. Internet users should also be aware example at a public WiFi hotspot) from being able of personal information already published to impersonate you when logging into web based online by periodically searching for their applications (webmail, social networking sites, personal information using popular Internet etc.). Whenever possible, web-based applications search engines. such as browsers should be set to force the use of SSL. Financial institutions rely heavily on the 4. Use of Social Networking Sites use of SSL to protect financial transactions while Social networking sites are an incredibly in transit. Many popular applications such as convenient and efficient means for sharing Facebook and Gmail have options to force all personal information with family and friends. communication to use SSL by default. Most web This convenience also brings some level of browsers provide some indication that SSL is risk; therefore, social network users should enabled, typically a lock symbol either next to be cognizant of what personal data is shared the URL for the web page or within the status bar and who has access to this data. Users should along the bottom of the browser. think twice about posting information such as address, phone number, place of employment, 6. Email Best Practices and other personal information that can be Personal email accounts, either web-based or used to target or harass you. If available, local to your host, are common attack targets. consider limiting access to posted personal The following recommendations will help data to “friends only” and attempt to verify reduce your exposure to email-based threats: any new sharing requests either by phone or a. In order to limit exposure both at work and home, in person. When receiving content (such as consider using different usernames for home and work third-party applications) from friends or new email addresses. Unique usernames make it more difficult acquaintances, be wary that many recent attacks for someone targeting your work account to also target you have leveraged the ease with which content is via your personal accounts. generally accepted within the social network b. Setting out-of-office messages on personal email community. This content appears to provide accounts is not recommended, as this can confirm to a new capability, when in fact there is some spammers that your email address is legitimate and also malicious component that is rarely apparent to provide awareness to unknown parties as to your activities. the typical user. Also, several social networking c. Always use secure email protocols if possible when sites now provide a feature to opt-out of accessing email, particularly if using a wireless network. exposing your personal information to Internet search engines. A good recommendation is to Secure email protocols include Secure IMAP and Secure periodically review the security policies and POP3. These protocols, or “always use SSL” for web-based Best Practices for Keeping Your Home Network Secure, April 2011 Page 5 of 7
  • 6. email, can be configured in the options for most email 8. Photo/GPS Integration clients. Secure email prevents others from reading email Many phones and some new point-and-shoot while in transit between your computer and the mail server. cameras embed the GPS coordinates for a d. Unsolicited emails containing attachments or links particular location within a photo when taken. should be considered suspicious. If the identity of the Care should be taken to limit exposure of sender can’t be verified, consider deleting the email without these photos on the Internet, ensure these opening. For those emails with embedded links, open your photos can only be seen by a trusted audience, browser and navigate to the web site either by its well- or use a third-party tool to remove the known web address or search for the site using a common coordinates before uploading to the Internet. search engine. Be wary of an email requesting personal These coordinates can be used to profile the information such as a password or social security number. habits and places frequented for a particular Any web service that you currently conduct business with individual, as well as provide near-real time should already have this information. notifications of an individual’s location when uploaded directly from a smart phone. Some services such as Facebook automatically strip 7. Password Management out the GPS coordinates in order to protect the Ensure that passwords and challenge responses privacy of their users. are properly protected since they provide access to large amounts of personal and financial information. Passwords should be Enhanced Protection strong, unique for each account, and difficult to guess. A strong password should be at least 10 Recommendations characters long and contain multiple character The following recommendations require types (lowercase, uppercase, numbers, and a higher level of administrative skills to special characters). A unique password should implement and maintain on home networks be used for each account to prevent an attacker than the previous recommendations. These from gaining access to multiple accounts if recommendations provide additional layers of any one password is compromised. Disable security but may impact your web browsing the feature that allows programs to remember experience or require some iteration to adjust passwords and automatically enter them settings to the appropriate thresholds. when required. Additionally, many online sites make use of password recovery or challenge questions. The answers to these questions 1. Enhanced Wireless Router Configuration should be something that no one else would Settings know or find from Internet searches or public Additional protections can be applied to the records. To prevent an attacker from leveraging wireless network to limit access. The following personal information about yourself to answer security mechanisms do not protect against challenge questions, consider providing a false the experienced attacker, but are very effective answer to a fact-based question, assuming the against a less experienced attacker. response is unique and memorable. a. MAC address or hardware address filtering enables the wireless access point to only allow authorized systems to associate with the wireless network. The hardware address Best Practices for Keeping Your Home Network Secure, April 2011 Page 6 of 7
  • 7. for all authorized hosts must be configured on the wireless access point. Additional Published Guidance b. Limiting the transmit power of the wireless access Social Networking point will reduce the area of operation (signal strength) http://www.nsa.gov/ia/_files/factsheets/I73- of the wireless network. This capability curtails the home 021R-2009.pdf wireless network from extending beyond the borders of a home (e.g., parking lot or adjacent building). Mitigation Monday #2 – Defense Against Drive c. SSID cloaking is a means to hide the SSID, the By Downloads name of a wireless network, from the wireless medium. http://www.nsa.gov/ia/_files/factsheets/I733- This technique is often used to prevent the detection of 011R-2009.pdf wireless networks by war drivers. It is important to note that enabling this capability prevents client systems from Mitigation Monday – Defense Against Malicious finding the wireless network. Instead, the wireless settings E-mail Attachments must be manually configured on all client systems. http://www.nsa.gov/ia/_files/factsheets/ d. Reducing the dynamic IP address pool or configuring MitigationMonday.pdf static IP addresses is another mechanism to limit access to the wireless network. This provides an additional layer Mac OSX 10.6 Hardening Tips of protection to MAC address filtering and prevents rogue http://www.nsa.gov/ia/_files/factsheets/ systems from connecting to the wireless network. macosx_10_6_hardeningtips.pdf Data Execution Prevention 2. Disable Scripting Within the Web Browser http://www.nsa.gov/ia/_files/factsheets/I733- If using third party web browsers such as Firefox TR-043R-2007.pdf or Chrome, use NoScript (Firefox) or NotScript (Chrome) to prevent the execution of scripts from untrusted domains. Disabling scripting can cause usability issues, but is an effective technique to reduce web bourne attacks. 3. Enable Data Execution Prevention (DEP) for all Programs By default, DEP is only enabled for essential Windows programs and services. Some third party or legacy applications may not be compatible with DEP, and could possibly crash when run with DEP enabled. Any program that requires DEP to execute can be manually added to the DEP exemption list, but this requires some technical expertise. Best Practices for Keeping Your Home Network Secure, April 2011 Page 7 of 7
  • 8. The Information Assurance Mission at NSA SNAC DoD, 9800 Savage Rd. Ft. Meade, MD 20755-6704 www.nsa.gov/snac SNAC@radium.ncsc.mil NSA Creative Imaging – 48039