We examine the following areas for consideration that all users should adapt as a minimum:
- Software patching
- Network security
- Security software
- Physical security
- Other users
- Training and education
This is a well-known and advertised feature that system administrators automate to a high degree in a corporate environment but one which users have to look after themselves.
Whether it is Microsoft Windows operating system with its monthly cycle of patching or Apple with its IOS maintenance releases it is recommended that users stay as up to date as possible to limit potential breaches due to zero day threats. Additional consideration must be given to other software beyond your operating system. Installing new software during the course of time may introduce sub-components that themselves may need to be patched.
A Microsoft example would be .net framework which is a pre-requisite for several software packages. It is recommended that Windows Update be re-run manually after a new software package such as this has been installed to capture any underlying application security patches. Additional applications such as Java and Flash need to be reviewed and removed if possible or consistently patched to the latest levels if functionally required.
Finally, ensure that your browser is at the latest build version by reviewing the browser settings and updating if necessary.
A fundamental component of a secure corporate environment, the trick for users is to have a password that is long and complex enough to deter brute force attempts but familiar enough so as not to be forgotten by the user. Our recommendation is to pick a personal phrase that you are very familiar with e.g. Grandad Dave was a bank clerk! There are a number of sites that will help you validate the complexity of your password such as Kaspersky’s secure password check.
If you are comfortable using applications then you may consider using a password manager such as Keepass or Lastpass whereby passwords for your various online services are encrypted and stored either locally or in the cloud. To further enhance this option a combination of external media could be utilised whereby the password manager database file could be stored on a USB drive and be placed in a non-internet connected location.
Finally, no two passwords should be the same or indeed follow the same format. If they are then one breach can have a catastrophic effect on your security posture and lead to financial or reputational loss and possibly identity theft.
In a recent blog post regarding the psychology of passwords, Lastpass found that 39% of people create more secure passwords for personal accounts over work accounts and that 75% of respondents considered themselves informed on password best practices, yet 61% admitted to using the same or similar password across accounts. This is further proof that IT security is both a technical and people issue.
Corporate system administrators use the concept of AAA standing for authentication, authorization, and accounting.
Authentication is the process of identifying you are who you say you are. This can be achieved by passwords, biometrics such as fingerprints and PIN numbers. Two Factor Authentication (2FA) adds an additional layer of authentication to the process by requesting not just typically a username and password but also an additional factor that the user has such as a PIN (Personal Identification Number) or validation code. Services such as LinkedIn and Gmail offer this. Therefore if your password is compromised, any attempt to capitalize on this will result in you receiving a notification. Whilst this adds a small amount of overhead to the user experience it is highly recommended that where this service is offered, users take up the offer.
Authorization is the process of applying the appropriate level of access for the newly authenticated users to access the system, i.e. are they a user, a super user or an administrator.
Accounting is the process of logging all related activity to the process. In addition, a number of companies use Identity and Access Management (IAM) platforms whereby corporate user’s credentials are shared securely with a 3rd party IAM identity provider. When the user wants to use an application or service they first authenticate with the identity providers who then pass the security assertion to the service provider for approval to proceed. If this service is available in your corporate environment then it can be used to access those same services securely from home.
Backups are imperative both to mitigate recent issues such as ransomware and also hardware failures. Disk drives and USB keys have certain lifespans which are dictated by the make and model of the drives. These do deteriorate over time and there is nothing worse than hearing the dreaded clicking sound when you power on your laptop and realise that your hard drive has died for whatever reason.
It is recommended that users implement a backup plan for their data. There are a number of ways to do this:
- Install backup software which will back up your data from your device to a location such as external USB drive. These backups can be scheduled and password protected with a number of commercial companies offering free home editions. Scheduling does not need to be as robust as a corporate plan but monthly or if possible weekly backups would be recommended.
- Synchronise (sync) your files to a secondary location. This is a simpler but just as effective option whereby one location e.g. your laptop can be sync’d to a secondary location again either an external USB drive or a cloud location. Google and Microsoft provide free versions and there are a number of commercial offerings as well. There are also a number of commercial cloud based backup offerings whereby data is backed up from your devices to a cloud provider for a fee. The benefits of these services are that it mitigates the risk of device failure both to the primary and backup devices, provides for an additional location and can provide backup functionality to mobile devices but does have the overhead of cost and the risk of the cloud provider having access to your data, geo-syncing your data to locations outside your geographical area and potentially the longevity of companies lifespan.
- The use of electrical surge protection is also advocated to minimise risk and ensure that your devices and corresponding data are protected.
The key questions for all of the backup considerations above are if your data is compromised either by ransomware or hardware failure, what is your appetite in terms of how much data can be lost and how long would it take to get you back up and running?
Companies place great importance on network security with multiple controls such as access control lists, IP whitelisting, firewalls, intrusion prevention\detection systems (IPS\IDS) and virtual private networks (VPN) being employed.
We recommend that users follow suit at home regarding their network equipment. The following steps should be taken where possible:
- changing the default password on your ISP provided router
- hiding the SSID
- upgrading the firmware of the router to the highest level available
- ensuring that WPA2 is the Wi-Fi security protocol in use
- employing a complex password as described above for your WPA2 Wi-Fi network
- utilizing a guest network for non-family members
- disabling Wi-Fi protected setup (WPS).
The use of VPN’s create secure tunnels from your home to the internet endpoints you are visiting ensures that your network traffic cannot be interrogated by third parties with a number of commercial offerings in this space. Whilst this encrypts your network traffic it does not mitigate the endpoint of the tunnel and as such users remain vulnerable if they are navigating to questionable websites.
There are a multitude of security vendors supplying products to the home user market and we would recommend that the following areas are considered at a minimum.
Anti-virus (AV) is used to protect devices from viruses. Considerations when choosing an AV product include the vendor’s reputation, functionality, use of resources, performance, ease of use and price. Microsoft has built in functionality and if this is your operating system then at a minimum it should be utilized. Anti-malware, anti-spyware and anti-adware products build on AV protection and deal with potentially unwanted programs (PUP’s), ransomware, website ratings and controlling access to known bad networks amongst other functionality. Some AV vendors incorporate these features into their product but if not then additional software should be used.
Ensure that the databases are maintained, up to date and that scans are run regularly or scheduled. Firewalls restrict and monitor the incoming and outgoing network traffic and the ports that are used are well known security controls that home users should use.
In addition to the built in Microsoft functionality there are commercial models offering baseline firewall behaviour and additional features such as content filtering, unified threat management (UTM) and SSL VPN’s.
We are well used to seeing security in our place of work to varying levels with locked doors, swipe cards, receptionists and biometrics being examples of physical security controls being employed. These are used to prevent physical intrusions and the same can be employed to IT Security.
It is recommended that users employ similar techniques in the home. Your home devices are conduits to your personal data and need to be protected. Consider the use of a cable lock if your laptop or desktop is being left in an empty residence for periods of time. Desktop computers occasionally have provisions for securing the covers with a small padlock thus preventing the possible theft of components or more importantly the hard drives.
Review your personal space where you use your devices. Is it visible from the front door or window? Placing your devices in a locked drawer when not using them ensures they are both out of sight and also an additional step for any potential thief to navigate.
Ensure you have taken a photograph of your devices and captured information such as the serial number, part numbers and any other distinguishing marks to ensure if they were to be stolen and recovered they could be identified and question whether the devices are valuable enough to be listed separately in your home insurance policy.
Finally, encryption should be considered for hard drives to ensure your data remains secure in the event of a theft. There are both free and commercial offerings available and don’t forget to encrypt not only your primary disk drives but also the secondary backups drives as well.
Occasionally, family members are allowed to use our devices. This is unacceptable in a corporate environment and most companies will cover this point off in a standard acceptable use policy (AUP). However, our home is a different question and with this in mind it is important that if other users are allowed to use your device that all applications are logged off. Otherwise, these non-owner users may be able to download applications, navigate to websites, access email and subscribe to online services using the primary account. To mitigate these risks, users can create additional unique profiles on devices which are configured to accommodate users of different ages or computer knowledge. When no longer required the profiles can be deleted.
The vast majority of our interaction with the internet is via browsing and per corporate guidelines users need to be vigilant with this activity. Navigating to only known websites, hovering on links to check addresses before clicking, being mindful about file downloads and using your browser’s security features can all help to minimize browsing risks. To supplement this we would recommend that URL’s for specific websites such as banking sites be bookmarked so you are not caught out with false websites via browser searches and ensuring the secure padlock symbol is present which validates the site’s security certificate.
Possibly the most common application apart from browsing and one of the biggest ingress points for cyber criminals. Strong IT security controls are an absolute requirement when using email. Your choice of email provider is important with some providers offering more security and fewer breaches than others. This should be taken into consideration along with the provider’s security functionality (file scanning, spam filtering, two factor authentication, etc.).
Finally, the purpose of your email should also inform your decisions. Is it purely personal or for a business? Ease of use, amount of storage, reliability and provider reputation should all be taken into consideration.
Training and education
Reading this blog post is indicative that you take IT security seriously and are willing to stay up to date on related matters. This should be extended to family and friends. It is in everyone’s interest that people stay up to date with the changing threat landscape and the actions they can take to protect their data. Blog posts, news articles, podcasts, magazines and webinars are just a sample of information sources that could be used with the majority of IT security vendors offering free information that should be considered.