Nsa   best practices for keeping your home network secure
Upcoming SlideShare
Loading in...5
×
 

Nsa best practices for keeping your home network secure

on

  • 886 views

 

Statistics

Views

Total Views
886
Views on SlideShare
886
Embed Views
0

Actions

Likes
0
Downloads
6
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Nsa   best practices for keeping your home network secure Nsa best practices for keeping your home network secure Document Transcript

  • Best Practices for Keeping Your Home Network SecureThe cyber threat is no longer limited to your a cloud-based reputation service for leveragingoffice network and work persona. Adversaries corporate knowledge and history of malwarerealize that targets are typically more vulnerable and domains. Remember to enable anywhen operating from their home network automated update service within the suite tosince there is less rigor associated with the keep signatures up-to-date.protection, monitoring, and maintenance ofmost home networks. Home users need to 3. Limit Use of the Administrator Accountmaintain a basic level of network defense and The first account that is typically created whenhygiene for both themselves and their family configuring a Windows host for the first timemembers when accessing the Internet. is the local administrator account. A non- privileged “user” account should be created and Host-Based Recommendations used for the bulk of activities conducted on the host to include web browsing, email access, and document creation/editing. The privilegedWindows Host OS administrator account should only be used to install updates or software, and reconfigure the1. Migrate to a Modern OS and Hardware host as needed. Browsing the web or reading Platform email as an administrator provides an effectiveBoth Windows 7 and Vista provide substantial means for an adversary to gain persistencesecurity enhancements over earlier Windows on your host. Within Vista or Windows 7,workstation operating systems such as XP. administrative credentials can be easilyMany of these security features are enabled by accessed by right clicking on any application,default and help prevent many common attack selecting the “Run as Administrator” option,vectors. In addition, implementing the 64-bit then providing the appropriate administratormode of the OS on a 64-bit hardware platform password. Furthermore, all passwordssubstantially increases the effort of an adversary associated with accounts on the host shouldto attain a system or root compromise. For any be at least 10 characters long and be complexWindows-based OS, verify that Windows Update (include upper case, lower case, numbers,is configured to provide updates automatically. special characters).2. Install a Comprehensive Host-Based 4. Use a Web Browser with Sandboxing Security Suite CapabilitiesA comprehensive host-based security suite Several currently available third party webprovides support for anti-virus, anti-phishing, browsers now provide a sandboxing capabilitysafe browsing, Host-based Intrusion Prevention that can contain malware during executionSystem (HIPS), and firewall capabilities. These thereby insulating the host operating systemservices work collaboratively to provide a from exploitation. Most of these web browserslayered defense against most common threats. also provide a feature to auto-update or atSeveral security suites today provide access to least notify you when updates are available for The Information Assurance Mission at NSAApril 2011 Page 1 of 8
  • download. Also, promising approaches that products, a link is conveniently provided in themove the web browser into a virtual machine report to download the latest update or patch.(VM) are starting to appear on the market butare not yet ready for mass consumer use. 8. Implement Full Disk Encryption (FDE) on Laptops5. Update to a PDF Reader with Sandboxing Windows 7 Ultimate as well as Vista Enterprise Capabilities and Ultimate provide support for Bitlocker FullA sandbox provides protection from malicious Disk Encryption (FDE) natively within the OS.code that may be contained in a PDF file. PDF files For other versions of Windows, third party FDEhave become a popular technique for delivering products are available that will help preventmalicious executables. Several commercial and data disclosure in the event that a laptop is lostopen source PDF readers now provide sandboxing or stolen.capabilities as well as block execution ofembedded URLs (website links) by default. Apple Host OS6. Migrate to Microsoft Office 2007 or Later 1. Maintain an Up-to-Date OSIf using Microsoft Office products for email, Configure any Mac OS X system toword processing, spreadsheets, presentations, or automatically check for updates. When notifieddatabase applications, upgrade to Office 2007 or of an available update, provide privilegedlater and its XML format for storing documents. credentials in order to install the update. TheBy default, the XML file formats do not execute Apple iPad should be kept up-to-date as wellembedded code when opened within Office and requires a physical connection (e.g., USB)2007 or later products thereby protecting the to a host running iTunes in order to receive itsuser from malicious code delivered via Office updates. A good practice is to connect the iPaddocuments. The Office 2010 suite also provides to an iTunes host at least once a month or just“Protected View” mode which opens documents prior to any travel where the iPad will be used.in read-only mode thereby potentiallyminimizing the impact of a malicious file. 2. Keep Third Party Application Software Up-to-Date7. Keep Application Software Up-to-Date Periodically check key applications for updates.Most home users do not have the time or Several of these third party applications maypatience to verify that all applications installed have options to automatically check for updates.on their workstation are fully patched and up- Legacy applications may require some researchto-date. Since many applications do not have an to determine their status.automated update feature, attackers frequentlytarget these applications as a means to exploit 3. Limit Use of the Privilegeda targeted host. Several products exist in the (Administrator Account)market which will quickly survey the software The first account that is typically created wheninstalled on your workstation and indicate configuring a Mac host for the first time is thewhich applications have reached end-of-life, local administrator account. A non-privilegedrequire a patch, or need updating. For some “user” account should be created and used forBest Practices for Keeping Your Home Network Secure, April 2011 Page 2 of 7
  • the bulk of activities conducted on the host home user with the network infrastructure toto include web browsing, email access, and support multiple systems as well as wirelessdocument creation/editing. The privileged networking and IP telephony services (b).administrator account should only be used toinstall updates or software, and reconfigure thehost as needed. Browsing the web or readingemail as an administrator provides an effectivemeans for an adversary to gain persistence onyour host.4. Enable Data Protection on the iPadThe data protection feature on the iPadenhances hardware encryption by protectingthe hardware encryption keys with a pass code.The pass code can be enabled by selecting“Settings,” then “General”, and finally “Passcode.” After the pass code is set, the “Dataprotection is enabled” icon should be visible Figure 1: Typical SOHO Configurationat the bottom of the screen. For iPads thathave been upgraded from iOS 3, follow theinstructions at: 2. Implement WPA2 on Wireless Networkhttp://support.apple.com/kb/HT4175. The wireless network should be protected using Wi-Fi Protected Access 2 (WPA2) instead of5. Implement FileVault on Mac OS Laptops WEP (Wired Equivalent Privacy). Using currentIn the event that a Mac laptop is lost or stolen, technology, WEP encryption can be broken inFileVault (available in Mac OS X, v10.3 and minutes (if not seconds) by an attacker, whichlater) can be used to encrypt the contents of a afterwards allows the attacker to view all trafficuser’s home directory to prevent data loss. passed on the wireless network. It is important to note that older client systems and access points may not support WPA2 and will require a Network Recommendations software or hardware upgrade. When researching for suitable replacement devices, ensure that the1. Home Network Design device is WPA2-Personal certified.The Internet Service Provider (ISP) may providea cable modem with routing and wireless 3. Limit Administration to Internal Networkcapabilities as part of the consumer contract. Administration of home networking devicesTo maximize the home user’s administration should be from the internal-facing network.control over the routing and wireless device, When given the option, external remotedeploy a separate personally-owned routing administration should be disabled for networkdevice (a) that connects to the ISP provided devices. Disabling remote administrationrouter/cable modem. Figure 1 depicts a typical prevents an attacker from changing andhome network configuration that provides the possibly compromising the home network.Best Practices for Keeping Your Home Network Secure, April 2011 Page 3 of 7 View slide
  • 4. Implement an Alternate DNS Provider b. Regardless of the underlying network, users can setupThe Domain Name Servers (DNS) provided tunnels to a trusted VPN service provider. This option canby the ISP typically don’t provide enhanced protect all traffic between the mobile device and the VPNsecurity services such as the blocking and gateway from most malicious activities such as monitoring.blacklisting of dangerous and infected web c. If using a hotspot is the only option for accessingsites. Consider using either open source or the Internet, then limit activities to web browsing. Avoidcommercial DNS providers to enhance web accessing services that require user credentials or enteringbrowsing security. personal information.5. Implement Strong Passwords on all Whenever possible, maintain physical control Network Devices over mobile devices while traveling. All portableIn addition to a strong and complex password devices are subject to physical attack givenon the wireless access point, a strong password access and sufficient time. If a laptop mustneeds to be implemented on any network be left behind in a hotel room, the laptopdevice that can be managed via a web interface. should be powered down and have Full DiskFor instance, many network printers on the Encryption enabled as discussed above.market today can be managed via a webinterface to configure services, determine job 2. Exchanging Home and Work Contentstatus, and enable features such as email alerts Government maintained hosts are generallyand logging. configured more securely and also have an enterprise infrastructure in place (email filtering, Operational Security web content filtering, IDS, etc. ) for preventing and detecting malicious content. Since many (OPSEC)/Internet Behavior users do not exercise the same level of security Recommendations on their home systems (e.g., limiting the use of administrative credentials), home systems are1. Traveling with Personal Mobile Devices generally easier to compromise. The forwardingMany establishments (e.g., coffee shops, hotels, of content (e.g., emails or documents) fromairports, etc.) offer wireless hotspots or kiosks home systems to work systems either via emailfor customers to access the Internet. Since or removable media may put work systemsthe underlying infrastructure is unknown at an increased risk of compromise. For thoseand security is often lax, these hotspots and interactions that are solicited and expected, havekiosks are susceptible to adversarial activity. the contact send any work-related correspondenceThe following options are recommended for to your work email account.those with a need to access the Internet whiletraveling: 3. Storage of Personal Information a. Mobile devices (e.g., laptops, smart phones) should on the Internet utilize the cellular network (e.g., mobile Wi-Fi, 3G or 4G Personal information which has traditionally services) to connect to the Internet instead of wireless been stored on a local computing device hotspots. This option often requires a service plan with a is steadily moving to the Internet cloud.  cellular provider. Examples of information typically stored in the cloud include webmail, financial information,Best Practices for Keeping Your Home Network Secure, April 2011 Page 4 of 7 View slide
  • and personal information posted to social settings available from your social networknetworking sites.  Information in the cloud provider to determine if new features areis difficult to remove and governed by the available to protect your personal information.privacy policies and security of the hosting site. Individuals who post information to these web- 5. Enable the Use of SSL Encryptionbased services should ask themselves “Who will Application encryption (also called SSL or TLS)have access to the information I am posting?” over the Internet protects the confidentiality ofand “What controls do I have over how this sensitive information while in transit. SSL alsoinformation is stored and displayed?” before prevents people who can see your traffic (forproceeding. Internet users should also be aware example at a public WiFi hotspot) from being ableof personal information already published to impersonate you when logging into web basedonline by periodically searching for their applications (webmail, social networking sites,personal information using popular Internet etc.). Whenever possible, web-based applicationssearch engines. such as browsers should be set to force the use of SSL. Financial institutions rely heavily on the4. Use of Social Networking Sites use of SSL to protect financial transactions whileSocial networking sites are an incredibly in transit. Many popular applications such asconvenient and efficient means for sharing Facebook and Gmail have options to force allpersonal information with family and friends. communication to use SSL by default. Most webThis convenience also brings some level of browsers provide some indication that SSL isrisk; therefore, social network users should enabled, typically a lock symbol either next tobe cognizant of what personal data is shared the URL for the web page or within the status barand who has access to this data. Users should along the bottom of the browser.think twice about posting information such asaddress, phone number, place of employment, 6. Email Best Practicesand other personal information that can be Personal email accounts, either web-based orused to target or harass you. If available, local to your host, are common attack targets.consider limiting access to posted personal The following recommendations will helpdata to “friends only” and attempt to verify reduce your exposure to email-based threats:any new sharing requests either by phone or a. In order to limit exposure both at work and home,in person. When receiving content (such as consider using different usernames for home and workthird-party applications) from friends or new email addresses. Unique usernames make it more difficultacquaintances, be wary that many recent attacks for someone targeting your work account to also target youhave leveraged the ease with which content is via your personal accounts.generally accepted within the social network b. Setting out-of-office messages on personal emailcommunity. This content appears to provide accounts is not recommended, as this can confirm toa new capability, when in fact there is some spammers that your email address is legitimate and alsomalicious component that is rarely apparent to provide awareness to unknown parties as to your activities.the typical user. Also, several social networking c. Always use secure email protocols if possible whensites now provide a feature to opt-out of accessing email, particularly if using a wireless network.exposing your personal information to Internetsearch engines. A good recommendation is to Secure email protocols include Secure IMAP and Secureperiodically review the security policies and POP3. These protocols, or “always use SSL” for web-basedBest Practices for Keeping Your Home Network Secure, April 2011 Page 5 of 7
  • email, can be configured in the options for most email 8. Photo/GPS Integration clients. Secure email prevents others from reading email Many phones and some new point-and-shoot while in transit between your computer and the mail server. cameras embed the GPS coordinates for a d. Unsolicited emails containing attachments or links particular location within a photo when taken. should be considered suspicious. If the identity of the Care should be taken to limit exposure of sender can’t be verified, consider deleting the email without these photos on the Internet, ensure these opening. For those emails with embedded links, open your photos can only be seen by a trusted audience, browser and navigate to the web site either by its well- or use a third-party tool to remove the known web address or search for the site using a common coordinates before uploading to the Internet. search engine. Be wary of an email requesting personal These coordinates can be used to profile the information such as a password or social security number. habits and places frequented for a particular Any web service that you currently conduct business with individual, as well as provide near-real time should already have this information. notifications of an individual’s location when uploaded directly from a smart phone. Some services such as Facebook automatically strip7. Password Management out the GPS coordinates in order to protect theEnsure that passwords and challenge responses privacy of their users.are properly protected since they provideaccess to large amounts of personal andfinancial information. Passwords should be Enhanced Protectionstrong, unique for each account, and difficult toguess. A strong password should be at least 10 Recommendationscharacters long and contain multiple character The following recommendations requiretypes (lowercase, uppercase, numbers, and a higher level of administrative skills tospecial characters). A unique password should implement and maintain on home networksbe used for each account to prevent an attacker than the previous recommendations. Thesefrom gaining access to multiple accounts if recommendations provide additional layers ofany one password is compromised. Disable security but may impact your web browsingthe feature that allows programs to remember experience or require some iteration to adjustpasswords and automatically enter them settings to the appropriate thresholds.when required. Additionally, many online sitesmake use of password recovery or challengequestions. The answers to these questions 1. Enhanced Wireless Router Configurationshould be something that no one else would Settingsknow or find from Internet searches or public Additional protections can be applied to therecords. To prevent an attacker from leveraging wireless network to limit access. The followingpersonal information about yourself to answer security mechanisms do not protect againstchallenge questions, consider providing a false the experienced attacker, but are very effectiveanswer to a fact-based question, assuming the against a less experienced attacker.response is unique and memorable. a. MAC address or hardware address filtering enables the wireless access point to only allow authorized systems to associate with the wireless network. The hardware addressBest Practices for Keeping Your Home Network Secure, April 2011 Page 6 of 7
  • for all authorized hosts must be configured on the wireless access point. Additional Published Guidance b. Limiting the transmit power of the wireless access Social Networking point will reduce the area of operation (signal strength) http://www.nsa.gov/ia/_files/factsheets/I73- of the wireless network. This capability curtails the home 021R-2009.pdf wireless network from extending beyond the borders of a home (e.g., parking lot or adjacent building). Mitigation Monday #2 – Defense Against Drive c. SSID cloaking is a means to hide the SSID, the By Downloads name of a wireless network, from the wireless medium. http://www.nsa.gov/ia/_files/factsheets/I733- This technique is often used to prevent the detection of 011R-2009.pdf wireless networks by war drivers. It is important to note that enabling this capability prevents client systems from Mitigation Monday – Defense Against Malicious finding the wireless network. Instead, the wireless settings E-mail Attachments must be manually configured on all client systems. http://www.nsa.gov/ia/_files/factsheets/ d. Reducing the dynamic IP address pool or configuring MitigationMonday.pdf static IP addresses is another mechanism to limit access to the wireless network. This provides an additional layer Mac OSX 10.6 Hardening Tips of protection to MAC address filtering and prevents rogue http://www.nsa.gov/ia/_files/factsheets/ systems from connecting to the wireless network. macosx_10_6_hardeningtips.pdf Data Execution Prevention2. Disable Scripting Within the Web Browser http://www.nsa.gov/ia/_files/factsheets/I733-If using third party web browsers such as Firefox TR-043R-2007.pdfor Chrome, use NoScript (Firefox) or NotScript(Chrome) to prevent the execution of scriptsfrom untrusted domains. Disabling scriptingcan cause usability issues, but is an effectivetechnique to reduce web bourne attacks.3. Enable Data Execution Prevention (DEP) for all ProgramsBy default, DEP is only enabled for essentialWindows programs and services. Some thirdparty or legacy applications may not becompatible with DEP, and could possibly crashwhen run with DEP enabled. Any program thatrequires DEP to execute can be manually addedto the DEP exemption list, but this requiressome technical expertise.Best Practices for Keeping Your Home Network Secure, April 2011 Page 7 of 7
  • The Information Assurance Mission at NSA SNAC DoD, 9800 Savage Rd. Ft. Meade, MD 20755-6704 www.nsa.gov/snac SNAC@radium.ncsc.milNSA Creative Imaging – 48039