sign in sign up
<<
Home , Adapter (computing), Laptop

As a user with access to sensitive corporate 2. Install A Comprehensive Security Suite or government information at work, you are at risk at home. In order to gain access to Install a comprehensive security suite that information typically housed on protected work provides layered defense via anti-virus, anti­ networks, cyber adversaries may target you phishing, safe browsing, host-based intrusion wh ile you are operating on your less secure prevention, and firewall capabilities. In . addition , several security suites, such as those from McAfee®£ 11, Norton®!2l, and Symantec®[ 3l, Don't be a victim. You can help protect provide access to a cloud-based reputation yourself, your family, and your organization by service for leveraging corporate malware following some common sense guidelines and knowledge and history. Be sure to enable implementing a few simple mitigations on your the su ite's automatic update service to keep home network. signatures up to date.

Personal Device 3. Limit Use of the Administrator Account Recommendations In your , the highly- privileged administrator (or root) account Personal computing devices include desktop has the ability to access any information and , , , and tablets. change any configuration on your system. Because the bulk of your information is stored Therefore, web or email delivered malware and accessed via these devices, you need to can more effectively compromise your take special care in securing them. system if executed while you are logged on as an administrator. Create a nonprivileged 1. Migrate to a Modern Operating System "user" account for the bulk of your activities including web browsing, e-mail access, and and Hardware Platform creation/editing. Only use the The latest version of any operating system privileged administrator account for system (OS) inevitably contains security features not reconfigurations and installations/ found in previous versions. Many of these updates. security features are enabled by default and help prevent common attack vectors. 4. Use a with Sand boxing In addition, using a 64-bit OS on a 64-bit Capabilities hardware platform substantially increases the effort for an adversary to obtain privileged Visiting compromised or malicious web access on your . servers is a common attack vector. Consider using one of several currently available web 8. Download Software Only from Trusted browsers (e.g. Chrome™[4l, Safari®[5l) that Sources provide a sandboxing capability. Sandboxing contains malware during execution, thereby To minimize the risk of inadvertently insulating the underlying operating system downloading malware, only download software from exploitation. and apps from reputable sources. On mobile devices, grant apps only those permissions necessary to function , and 5. Use a PDF Reader with Sand boxing disable location services when not needed. Capabilities

PDF are a popular mechanism 9. Secure Mobile Devices for delivering malware. Use one of several commercial or open source PDF readers Mobile devices such as laptops, smartphones, and tablets pose additional concerns due to (e .g. Adobe®(sJ, Foxi~ 7 l ) that provide sandboxing their ease of use and portability. To protect capabilities and block execution of malicious against theft of the device and the information embedded URLs ( links) within on the device, maintain physical control when documents. possible, enable automatic screen locking after a period of inactivity, and use a hard-to­ 6. Update Application Software guess password or PIN. If a must be left behind in a hotel room while travelling , power Attackers often exploit vulnerabilities in it down and use FOE as discussed above. unpatched, outdated software applications running on your computing device. Enable the auto-update feature for applications that Network Recommendations offer this option , and promptly install patches Home network devices include / or a new version when pop-up notifications routers, access points (WAPs), indicate an update is available. Since many printers, and IP telephony devices. These applications do not have an automated devices control the flow of information into update feature, use one of several third-party and out of your network, and should be products, such as those from Secunia and carefully secured. eEye Digital Security®[8], which can quickly survey installed software and report which applications are end-of-life or need patches 1. Configure a Flexible Home Network or updates. Your Service Provider (ISP) likely provides a /router as part of your 7. Implement Full (FOE) service contract. To maximize administrative on Laptops control over the routing and wireless features of your home network, use a personally­ To prevent data disclosure in the event that owned routing device that connects to the a laptop is lost or stolen , implement FOE . ISP-provided modem/router. Figure 1 depicts Most modern operating systems offer a built­ a typical small office/home office (SOHO) in FOE capability, for example Microsoft's network configuration that provides the home Bitlocker®[9], Apple's Filevault®[1 0] , or LUKS user with a network that supports multiple for . If your OS does not offer FOE , use a systems as well as wireless networking and third party product. IP telephony services.

~ . ,, . DSUCable Modem Network Switch 4. Implement WPA2 on the Wireless Provided by ISP Network

To keep your wireless communication Connection confidential, ensure your personal or ISP­ From ISP provided WAP is using Wi-Fi Protected Access 2 (WPA2) instead of the much weaker, and easily broken Wired Equivalent Privacy Access Point Purchased By (WEP) or the original WPA. When configuring Home User Adapter WPA2 , change the default key to a complex, hard-to-guess passphrase. Note that older Figure 1: Typical SOHO Configuration client systems and access points may not support WPA2 and will require a software or 2. Disable Internet Protocol Version 6 hardware upgrade. When identifying a suitable (1Pv6) Tunneling replacement, ensure the device is WPA2- Personal certified . Both 1Pv6 and its predecessor, 1Pv4, are used to transfer communications on the Internet. Most modern operating systems use 1Pv6 by 5. Limit Administration to the Internal Network default. If 1Pv6 is enabled on your device, but not supported by other systems/networks to To close holes that would allow an attacker to which you are communicating, some OSes will access and make changes to your network, attempt to pass 1Pv6 traffic in an 1Pv4 wrapper on your network devices, disable the ability using tunneling capabilities such as Teredo, to perform remote/external administration. 6to4, or ISA TAP (Intra-Site Automatic Tunnel Always make network configuration changes Addressing Protocol). Because attackers could from within your internal network. use these tunnels to create a hidden channel of communication to and from your system, you should disable tunneling mechanisms. 6. Implement an Alternate DNS Provider In Windows, you can disable these through The Domain Name System (DNS) associates Device Manager (be sure to select "View domain names (e .g. www.example.com) with hidden devices" under the View menu). their numerical IP addresses. The ISP DNS provider likely does not provide enhanced security services such as the blocking and 3. Provide Firewall Capabilities blacklisting of dangerous web sites. Consider To prevent attackers from scanning your using either open source or commercial DNS network, ensure your personally-owned routing providers to enhance web browsing security. device supports basic firewall capabilities. Also verify that it supports Network Address 7. Implement Strong Passwords on all Translation (NAT) to prevent internal systems Network Devices from being accessed directly from the Internet. Wireless Access Points (WAPs) generally do In addition to a strong and complex password not provide these capabilities so it may be on your WAP, use a strong password on any necessary to purchase a wireless router, or a network device that can be managed via a wired router in addition to the WAP. If your ISP web , including routers and printers. supports 1Pv6, ensure your router supports For instance, many network printers on the 1Pv6 firewall capabilities in addition to 1Pv4. market today can be managed via a web interface to configure services, determine job have a standby button you can use to disable status, and enable features such as e-mail the Internet connection . alerts and logging. Without a password, or with a weak or default password, attackers could leverage these devices to gain access to your Internet Behavior other internal systems. Recommendations In order to avoid revealing sensitive Home Entertainment Device information about your organization or Recommendations personal life, abide by the following guidelines while accessing the Internet. Home entertainment devices, such as blu­ ray players, set-top video players (e.g. Apple TV®£ 11 1), and video game controllers, are 1. Exercise Caution when Accessing capable of accessing the Internet via wireless Public Hotspots or wired connection. Although connecting these types of devices to a home network Many establishments, such as coffee shops, generally poses a low security risk, you can hotels, and airports, offer wireless hotspots or implement security measures to ensure these kiosks for customers to access the Internet. don't become a weak link in your network. Because the underlying infrastructure of these is unknown and security is often weak, these hotspots are susceptible to adversarial 1. Protect the Device within the Network activity. If you have a need to access the Ensure the device is beh ind the home router/ Internet while away from home, follow these firewall to protect it from unfettered access recommendations: from the Internet. In the case of a device that supports wireless, follow the Wireless LAN • If possible, use the (that is, security guidance in this document. mobile Wi-Fi, 3G or 4G services) to connect to the Internet instead of wireless hotspots. This option often requires a service plan with 2. Use Strong Passwords for Service a cellular provider. Accounts • Set up a confidential tunnel to a trusted Most home entertainment devices require virtual private network (VPN) service you to sign up for additional services (e .g. provider (for example, StrongSwan's Playstation®! 12J Network, Xbox Live®£ 131, StrongVPN). This option can protect your Netflix®£141, Amazon Prime®£151, iTunes®£ 161) . traffic from malicious activities such as . Follow the password guidance later in this monitoring . However, use of a VPN carries document when creating and maintaining service accounts. some inconvenience, overhead, and often cost. Additionally, you are still vulnerable during initial connection to the public network 3. Disconnect When Not in Use before establishing the VPN .

To prevent attackers from probing the network • If using a is the only option fo r via home entertainment devices, if possible, accessing the Internet, limit activities to disconnect these systems from the Internet web browsing. Avoid accessing services when not in use. Some ISP modems/routers such as banking that requ ire user credentials or entering personal information. 2. Do Not Exchange Home and Work 5. Take Precaustions on Social Content Networking Sites The exchange of information (e.g. e-mails, Social networking sites are a convenient documents) between less-secure home means for sharing personal information with systems and work systems via e-mail or family and friends. However, this convenience removable may put work systems at also brings a level of risk. To protect yourself, an increased risk of compromise. If possible, do the following : use organization-provided laptops to conduct all work business from home. For those • Think twice about posting information business interactions that are solicited and such as address, phone number, place of expected, have the contact send work-related employment, and other personal information correspondence to your work, rather than that can be used to target or harass you . personal, e-mail account. • If available, limit access of your information to "friends only" and attempt to verify any 3. Be Cognizant of Device Trust Levels new sharing requests either by phone or in person. Home networks consist of various combinations of wired and wireless devices • Take care when receiving content (such and computers. Establish a level of trust based as third-party applications) from friends not only on a device's security features, but because many recent attacks deliver also its usage. For example, children typically malware by taking advantage of the ease are less savvy about security than adults and with which content is generally accepted may be more likely to have malicious software within the social network community. on their devices. Avoid using a less savvy user's computer for online banking, stock • Periodically review the security policies and trading , family photograph storage, and other settings available from your social network sensitive functions. provider to determine if new features are available to protect your personal information. For example, some social 4. Be Wary of Storing Personal networking sites now allow you to opt-out Information on the Internet of exposing your personal information to Internet search engines. Personal information historically stored on a local computing device is steadily moving • Follow friends' profiles to see whether to on-demand Internet storage called the information posted about you might be cloud . Information in the cloud can be difficult a problem. to permanently remove. Before posting information to these cloud-based services, 6. Enable the Use of SSL Encryption ask yourself who will have access to your information and what controls do you have Application encryption (SSL or TLS) over the over how the information is stored and Internet protects the confidentiality of sensitive displayed. In addition, be aware of personal information while in transit when logging into information already published online by web based applications such as webmail and periodically performing a search using an social networking sites. Fortunately, most web Internet search engine. browsers enable SSL support by default. When conducting sensitive personal activities those e-mails with embedded links, open a such as account logins and financial browser and navigate to the web site directly transactions, ensure the web site uses SSL. by its well-known web address or search for Most web browsers provide some indication the site using an Internet search engine. that SSL is enabled, typically a lock symbol either next to the URL for the web page • Be wary of any e-mail requesting personal or within the status bar along the bottom information such as a password or social of the browser. Additionally, many popular security number as any web service with web applications such as Facebook®[17l which you currently conduct business should and Gmail®[ 18l have options to force all already have this information. communication to use SSL by default.

8. Protect Passwords 7. Follow E-mail Best Practices Ensure that passwords and challenge Personal e-mail accounts, either web-based responses are properly protected since they or local to the computer, are common attack provide access to personal information. targets. The following recommendations will help reduce exposure to e-mail-based threats: • Passwords should be strong , unique for each account, and difficult to guess. • Use different usernames for home and work Consider using a passphrase that you can e-mail addresses. Unique usernames make easily remember, but which is long enough it more difficult for someone targeting your to make p(:!ssword cracking more difficult. work account to also target you via your personal accounts. • Disable the feature that allows web sites or programs to remember passwords. • To prevent reuse of compromised passwords, use different passwords for each • Many online sites make use of password of your e-mail accounts. recovery or challenge questions. Your answers to these questions should be • Do not set out-of-office messages on something that no one else would know or personal e-mail accounts, as this can confirm find from Internet searches or public records. to spammers that your e-mail address is To prevent an attacker from leveraging legitimate and can provide information to personal information about yourself to unknown parties about your activities. answer challenge questions, consider providing a false answer to a fact-based • To prevent others from reading e-mail question, assuming the response is unique while in transit between your computer and and memorable. the mail , always use secure e-mail protocols (Secure IMAP or Secure POP3), • Use two-factor authentication when available particularly if using a . You for accessing webmail, social networking, can configure these on most e-mail clients, and other accounts. Examples of two-factor or select the option to "always use SSL" for authentication include a one-time password web-based e-mail. verification code sent to your phone, or a login based on both a password and • Consider unsolicited e-mails containing identification of a trusted device. attachments or links to be suspicious. If the identity of the sender cannot be verified , delete the e-mail without opening. For 9. Avoid Posting Photos.with GPS Internet Protocol Version 6: Coordinates http://www.nsa.gov/ia/_files/factsheets/ Factsheet-1Pv6.pdf Many phones and newer point-and-shoot cameras embed GPS location coordinates Security Tips for Personally-Managed when a photo is taken. An attacker can use Apple and : these coordinates to profile your habits/pattern http://www. nsa. govlia/_ files/facts heets/ of life and current location. Limit the exposure iphonetips-image.pdf of these photos on the Internet to be viewable Security Highlights of : only by a trusted audience or use a third­ http://www.nsa.gov/ia/_files/os/win7/win7_ party tool to remove the coordinates before security_highlights. pdf uploading to the Internet. Some services such as Facebook automatically strip out the GPS coordinates in order to protect the privacy of References their users. [1] McAfee® is a registered trademark of McAfee, Inc. [2] Norton® is a registered trademark of Symantec Additional Guidance [3] Symantec® is a registered trademark of Symantec [4] ChromeTM is a trademark of Google Social Networking: [5] Safari® is a reg istered trademark of Apple http://www.nsa.gov/ia/_files/factsheets/173- [6] Adobe® is a registered trademark of Adobe Systems, Inc. 021 R-2009.pdf [7] Foxit® is a registered trademark of Foxit Corp. [8] eEye Digital Security® is a registered trademark of eEye, Inc. Mitigation Monday- [9] Bitlocker® is a registered trademark of Microsoft Defense Against Malicious E-mail [1 0] Filevault® is a registered trademark of Apple Attachments: [11] Apple TV® is a registered trademark of Apple http://www.nsa.gov/ia/_files/factsheets/ [12] Playstation® is a registered trademark of MitigationMonday.pdf [13] Xbox Live® is a registered trademark of Microsoft [14] Netflix® is a registered trademark of Netflix.com , Inc. Mitigation Monday #2 - [15] Amazon Prime® is a registered trademark of Amazon Defense Against Drive By Downloads: Technologies, Inc. http://www. nsa .govlia/_ files/fa ctsheets/ [16] iTunes® is a registered trademark of Apple 1733-011 R-2009.pdf [17] Facebook® is a registered trademark of Facebook [18] Gmail® is a registered trademark of Google Hardening Tips Disclaimer of Endorsement: Mac OSX 10.6 Hardening Tips: Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, http://www. nsa. gov/ia/_ fi les/factsheets/ does not necessarily constitute or imply its endorsement, macosx_1 0_6_hardeningtips.pdf recommendation , or favoring by the United States Government. The views and opinions of authors expressed herein do not Enforcing No Internet or E-mail from necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement Privileged Accounts: purposes. http://www. nsa.gov/ia/_ files/facts heets/ Final_49635Nonlnternetsheet91.pdf

Hardening Tips for the Default Installation of Red Hat Enterprise Linux 5: http://www. nsa. gov/ia/_ fi les/factsheets/ rhel5-pamphlet-i731.pdf Contact Information

Industry Inquiries 410-854-6091 [email protected]

USG/IC Customer Inquiries 41 0-854-4 790

DoD//COCOM Customer Inquiries 41 0-854-4200

General Inquiries NSA Information Assurance Service Center [email protected]