Transcription
Best Practices for Keeping YourHome Network SecureAs a user with access to sensitive corporate orgovernment information at work, you are at risk at home.In order to gain access to information typically housed onprotected work networks, cyber adversaries may targetyou while you are operating on your less secure homenetwork.Don’t be a victim. You can help protect yourself, yourfamily, and your organization by following some commonsense guidelines and implementing a few simplemitigations on your home network.Personal Computing DeviceRecommendationsPersonal computing devices include desktop computers,laptops, smartphones, and tablets. Because the bulkof your information is stored and accessed via thesedevices, you need to take special care in securing them.1. Migrate to a Modern Operating System andHardware PlatformThe latest version of any operating system (OS)inevitably contains security features not found inprevious versions. Many of these security features areenabled by default and help prevent common attackvectors. In addition, using a 64-bit OS on a 64-bithardware platform substantially increases the effortfor an adversary to obtain privileged access on yourcomputer.3. Limit Use of the Administrator AccountIn your operating system, the highly-privilegedadministrator (or root) account has the ability to accessany information and change any configuration on yoursystem. Therefore, web or email delivered malware canmore effectively compromise your system if executedwhile you are logged on as an administrator. Createa nonprivileged “user” account for the bulk of youractivities including web browsing, e-mail access, anddocument creation/editing. Only use the privilegedadministrator account for system reconfigurations andsoftware installations/updates.4. Use a Web Browser with Sandboxing CapabilitiesVisiting compromised or malicious web servers is acommon attack vector. Consider using one of severalcurrently available web browsers (e.g. ChromeTM[4],Safari [5]) that provide a sandboxing capability.Sandboxing contains malware during execution,thereby insulating the underlying operating system fromexploitation.5. Use a PDF Reader with Sandboxing CapabilitiesPDF documents are a popular mechanism for deliveringmalware. Use one of several commercial or open sourcePDF readers (e.g. Adobe [6], Foxit [7]) that providesandboxing capabilities and block execution of maliciousembedded URLs (website links) within documents.2. Install A Comprehensive Security Suite6. Update Application SoftwareInstall a comprehensive security suite that provideslayered defense via anti-virus, anti-phishing, safebrowsing, host-based intrusion prevention, and firewallcapabilities. In addition, several security suites, suchas those from McAfee [1], Norton [2], and Symantec [3],provide access to a cloud-based reputation service forleveraging corporate malware knowledge and history. Besure to enable the suite’s automatic update service tokeep signatures up to date.Attackers often exploit vulnerabilities in unpatched,outdated software applications running on yourcomputing device. Enable the auto-update feature forapplications that offer this option, and promptly installpatches or a new version when pop-up notificationsindicate an update is available. Since many applicationsdo not have an automated update feature, use one ofseveral third-party products, such as those from Secuniaand eEye Digital Security [8], which can quickly surveyConfidence in CyberspaceMay 2014MIT-005FS-2013
installed software and report which applications are endof-life or need patches or updates.7. Implement Full Disk Encryption (FDE) on LaptopsTo prevent data disclosure in the event that a laptop islost or stolen, implement FDE. Most modern operatingsystems offer a built-in FDE capability, for exampleMicrosoft’s BitLocker [9], Apple’s Filevault [10], or LUKS forLinux. If your OS does not offer FDE, use a third partyproduct.personally-owned routing device that connects to theISP-provided modem/router. Figure 1 depicts a typicalsmall office/home office (SOHO) network configurationthat provides the home user with a network that supportsmultiple systems as well as wireless networking and IPtelephony services.8. Download Software Only from Trusted SourcesTo minimize the risk of inadvertently downloadingmalware, only download software and mobile deviceapps from reputable sources. On mobile devices, grantapps only those permissions necessary to function, anddisable location services when not needed.9. Secure Mobile DevicesMobile devices such as laptops, smartphones, andtablets pose additional concerns due to their ease of useand portability. To protect against theft of the device andthe information on the device, maintain physical controlwhen possible, enable automatic screen locking after aperiod of inactivity, and use a hard-to-guess password orPIN. If a laptop must be left behind in a hotel room whiletravelling, power it down and use FDE as discussedabove.Network RecommendationsHome network devices include modems/routers, wirelessaccess points (WAPs), printers, and IP telephonydevices. These devices control the flow of informationinto and out of your network, and should be carefullysecured.1. Configure a Flexible Home NetworkYour Internet Service Provider (ISP) likely providesa modem/router as part of your service contract.To maximize administrative control over the routingand wireless features of your home network, use aFigure 1: Typical SOHO Configuration2. Disable Internet Protocol Version 6 (IPv6)TunnelingBoth IPv6 and its predecessor, IPv4, are used to transfercommunications on the Internet. Most modern operatingsystems use IPv6 by default. If IPv6 is enabled on yourdevice, but not supported by other systems/networks towhich you are communicating, some OSes will attemptto pass IPv6 traffic in an IPv4 wrapper using tunnelingcapabilities such as Teredo, 6to4, or ISATAP (IntraSite Automatic Tunnel Addressing Protocol). Becauseattackers could use these tunnels to create a hiddenchannel of communication to and from your system, youshould disable tunneling mechanisms. In Windows, youcan disable these through Device Manager (be sure toselect “View hidden devices” under the View menu).3. Provide Firewall CapabilitiesTo prevent attackers from scanning your network, ensureyour personally-owned routing device supports basicfirewall capabilities. Also verify that it supports NetworkAddress Translation (NAT) to prevent internal systemsfrom being accessed directly from the Internet. WirelessAccess Points (WAPs) generally do not provide theseConfidence in CyberspaceMay 2014MIT-005FS-2013
capabilities so it may be necessary to purchase awireless router, or a wired router in addition to the WAP.If your ISP supports IPv6, ensure your router supportsIPv6 firewall capabilities in addition to IPv4.4. Implement WPA2 on the Wireless Networkto configure services, determine job status, and enablefeatures such as e-mail alerts and logging. Without apassword, or with a weak or default password, attackerscould leverage these devices to gain access to yourother internal systems.To keep your wireless communication confidential,ensure your personal or ISP-provided WAP is usingWi-Fi Protected Access 2 (WPA2) instead of the muchweaker, and easily broken Wired Equivalent Privacy(WEP) or the original WPA. When configuring WPA2,change the default key to a complex, hard-to-guesspassphrase. Note that older client systems and accesspoints may not support WPA2 and will require a softwareor hardware upgrade. When identifying a suitablereplacement, ensure the device is WPA2-Personalcertified.Home Entertainment DeviceRecommendations5. Limit Administration to the Internal Network1. Protect the Device within the NetworkTo close holes that would allow an attacker to accessand make changes to your network, on your networkdevices, disable the ability to perform remote/externaladministration. Always make network configurationchanges from within your internal network.Ensure the device is behind the home router/firewall toprotect it from unfettered access from the Internet. Inthe case of a device that supports wireless, follow theWireless LAN security guidance in this document.2. Use Strong Passwords for Service Accounts6. Implement an Alternate DNS ProviderMost home entertainment devices require you to signup for additional services (e.g. Playstation [12] Network,Xbox Live [13], Netflix [14], Amazon Prime [15], iTunes [16]).Follow the password guidance later in this documentwhen creating and maintaining service accounts.The Domain Name System (DNS) associates domainnames (e.g. www.example.com) with their numericalIP addresses. The ISP DNS provider likely does notprovide enhanced security services such as the blockingand blacklisting of dangerous web sites. Consider usingeither open source or commercial DNS providers toenhance web browsing security.7. Implement Strong Passwords on all NetworkDevicesIn addition to a strong and complex password on yourWAP, use a strong password on any network device thatcan be managed via a web interface, including routersand printers. For instance, many network printers onthe market today can be managed via a web interfaceHome entertainment devices, such as blu-ray players,set-top video players (e.g. Apple TV [11]), and video gamecontrollers, are capable of accessing the Internet viawireless or wired connection. Although connecting thesetypes of devices to a home network generally poses alow security risk, you can implement security measuresto ensure these don’t become a weak link in yournetwork.3. Disconnect When Not in UseTo prevent attackers from probing the network via homeentertainment devices, if possible, disconnect thesesystems from the Internet when not in use. Some ISPmodems/routers have a standby button you can use todisable the Internet connection.Internet Behavior RecommendationsIn order to avoid revealing sensitive information aboutyour organization or personal life, abide by the followingConfidence in CyberspaceMay 2014MIT-005FS-2013
guidelines while accessing the Internet.3. Be Cognizant of Device Trust Levels1. Exercise Caution when Accessing Public HotspotsHome networks consist of various combinations of wiredand wireless devices and computers. Establish a level oftrust based not only on a device’s security features, butalso its usage. For example, children typically are lesssavvy about security than adults and may be more likelyto have malicious software on their devices. Avoid usinga less savvy user’s computer for online banking, stocktrading, family photograph storage, and other sensitivefunctions.Many establishments, such as coffee shops, hotels, andairports, offer wireless hotspots or kiosks for customersto access the Internet. Because the underlyinginfrastructure of these is unknown and security is oftenweak, these hotspots are susceptible to adversarialactivity. If you have a need to access the Internet whileaway from home, follow these recommendations: If possible, use the cellular network (that is, mobileWi-Fi, 3G or 4G services) to connect to the Internetinstead of wireless hotspots. This option often requiresa service plan with a cellular provider. Set up a confidential tunnel to a trusted virtualprivate network (VPN) service provider (for example,StrongSwan’s StrongVPN). This option can protectyour traffic from malicious activities such asmonitoring. However, use of a VPN carries someinconvenience, overhead, and often cost. Additionally,you are still vulnerable during initial connection to thepublic network before establishing the VPN. If using a hotspot is the only option for accessingthe Internet, limit activities to web browsing. Avoidaccessing services such as banking websitesthat require user credentials or entering personalinformation.2. Do Not Exchange Home and Work ContentThe exchange of information (e.g. e-mails, documents)between less-secure home systems and work systemsvia e-mail or removable media may put work systemsat an increased risk of compromise. If possible, useorganization-provided laptops to conduct all workbusiness from home. For those business interactionsthat are solicited and expected, have the contact sendwork-related correspondence to your work, rather thanpersonal, e-mail account.4. Be Wary of Storing Personal Information on theInternetPersonal information historically stored on a localcomputing device is steadily moving to on-demandInternet storage called the cloud. Information in thecloud can be difficult to permanently remove. Beforeposting information to these cloud-based services, askyourself who will have access to your information andwhat controls do you have over how the information isstored and displayed. In addition, be aware of personalinformation already published online by periodicallyperforming a search using an Internet search engine.5. Take Precaustions on Social Networking SitesSocial networking sites are a convenient means forsharing personal information with family and friends.However, this convenience also brings a level of risk. Toprotect yourself, do the following: Think twice about posting information such asaddress, phone number, place of employment, andother personal information that can be used to target orharass you. If available, limit access of your information to “friendsonly” and attempt to verify any new sharing requestseither by phone or in person. Take care when receiving content (such as thirdparty applications) from friends because many recentConfidence in CyberspaceMay 2014MIT-005FS-2013
attacks deliver malware by taking advantage of theease with which content is generally accepted withinthe social network community. Periodically review the security policies andsettings available from your social network providerto determine if new features are available to protectyour personal information. For example, some socialnetworking sites now allow you to opt-out of exposingyour personal information to Internet search engines. Follow friends’ profiles to see whether informationposted about you might be a problem.6. Enable the Use of SSL EncryptionApplication encryption (SSL or TLS) over the Internetprotects the confidentiality of sensitive information whilein transit when logging into web based applications suchas webmail and social networking sites. Fortunately,most web browsers enable SSL support by default.When conducting sensitive personal activities such asaccount logins and financial transactions, ensure theweb site uses SSL. Most web browsers provide someindication that SSL is enabled, typically a lock symboleither next to the URL for the web page or within thestatus bar along the bottom of the browser. Additionally,many popular web applications such as Facebook [17]and Gmail [18] have options to force all communication touse SSL by default.7. Follow E-mail Best PracticesPersonal e-mail accounts, either web-based or local tothe computer, are common attack targets. The followingrecommendations will help reduce exposure to e-mailbased threats: Use different usernames for home and work e-mailaddresses. Unique usernames make it more difficultfor someone targeting your work account to also targetyou via your personal accounts. To prevent reuse of compromised passwords, usedifferent passwords for each of your e-mail accounts. Do not set out-of-office messages on personale-mail accounts, as this can confirm to spammersthat your e-mail address is legitimate and can provideinformation to unknown parties about your activities. To prevent others from reading e-mail while in transitbetween your computer and the mail server, alwaysuse secure e-mail protocols (Secure IMAP or SecurePOP3), particularly if using a wireless network. Youcan configure these on most e-mail clients, or selectthe option to “always use SSL” for web-based e-mail. Consider unsolicited e-mails containing attachmentsor links to be suspicious. If the identity of the sendercannot be verified, delete the e-mail without opening.For those e-mails with embedded links, open abrowser and navigate to the web site directly by itswell-known web address or search for the site using anInternet search engine. Be wary of any e-mail requesting personalinformation such as a password or social securitynumber as any web service with which you currentlyconduct business should already have this information.8. Protect PasswordsEnsure that passwords and challenge responsesare properly protected since they provide access topersonal information. Passwords should be strong, unique for eachaccount, and difficult to guess. Consider using apassphrase that you can easily remember, but which islong enough to make password cracking more difficult. Disable the feature that allows web sites or programsto remember passwords. Many online sites make use of password recovery orchallenge questions. Your answers to these questionsshould be something that no one else would knowor find from Internet searches or public records.To prevent an attacker from leveraging personalinformation about yourself to answer challengequestions, consider providing a false answer to a fact-Confidence in CyberspaceMay 2014MIT-005FS-2013
based question, assuming the response is unique andmemorable. Use two-factor authentication when available foraccessing webmail, social networking, and otheraccounts. Examples of two-factor authenticationinclude a one-time password verification code sent toyour phone, or a login based on both a password andidentification of a trusted device.9. Avoid Posting Photos with GPS CoordinatesMany phones and newer point-and-shoot camerasembed GPS location coordinates when a photo istaken. An attacker can use these coordinates to profileyour habits/pattern of life and current location. Limit theexposure of these photos on the Internet to be viewableonly by a trusted audience or use a third-party tool toremove the coordinates before uploading to the Internet.Some services such as Facebook automatically strip outthe GPS coordinates in order to protect the privacy oftheir users.Additional GuidanceSocial Networking:http://www.nsa.gov/ia/ files/factsheets/I73021R-2009.pdfMitigation Monday –Defense Against Malicious E-mail Attachments:http://www.nsa.gov/ia/ files/factsheets/MitigationMonday.pdfMitigation Monday #2 –Defense Against Drive By Downloads:http://www.nsa.gov/ia/ files/factsheets/I733011R-2009.pdfHardening TipsMac OSX 10.6 Hardening Tips:http://www.nsa.gov/ia/ files/factsheets/macosx 10 6 hardeningtips.pdfEnforcing No Internet or E-mail fromPrivileged Accounts:http://www.nsa.gov/ia/ files/factsheets/Final 49635NonInternetsheet91.pdfHardening Tips for the Default Installationof Red Hat Enterprise Linux 5:http://www.nsa.gov/ia/ files/factsheets/rhel5pamphlet-i731.pdfInternet Protocol Version 6:http://www.nsa.gov/ia/ files/factsheets/FactsheetIPv6.pdfSecurity Tips for Personally-ManagedApple iPhones and iPads:http://www.nsa.gov/ia/ files/factsheets/iphonetipsimage.pdfSecurity Highlights of Windows 7:http://www.nsa.gov/ia/ files/os/win7/win7 securityhighlights.pdfConfidence in CyberspaceMay 2014MIT-005FS-2013
Disclaimer of Endorsement:Reference herein to any specific commercial products, process, orservice by trade name, trademark, manufacturer, or otherwise, doesnot necessarily constitute or imply its endorsement, recommendation,or favoring by the United States Government. The views and opinionsof authors expressed herein do not necessarily state or reflect those ofthe United States Government, and shall not be used for advertising orproduct endorsement purposes.Contact InformationIndustry Inquiries: 410-854-6091 bao@nsa.govUSG/IC Client Advocates: 410-854-4790DoD/Military/COCOM Client Advocates: 410-854-4200General Inquiries: NSA Information AssuranceService Center niasc@nsa.govReferences[1] McAfee is a registered trademark of McAfee, Inc.[2] Norton is a registered trademark of Symantec[3] Symantec is a registered trademark of Symantec[4] ChromeTM is a trademark of Google[5] Safari is a registered trademark of Apple[6] Adobe is a registered trademark of Adobe Systems, Inc.[7] Foxit is a registered trademark of Foxit Corp.[8] eEye Digital Security is a registered trademark of eEye, Inc.[9] BitLocker is a registered trademark of Microsoft[10] Filevault is a registered trademark of Apple[11] Apple TV is a registered trademark of Apple[12] Playstation is a registered trademark of Sony[13] Xbox Live is a registered trademark of Microsoft[14] Netflix is a registered trademark of Netflix.com, Inc.[15] Amazon Prime is a registered trademark of Amazon Technologies, Inc.[16] iTunes is a registered trademark of Apple[17] Facebook is a registered trademark of Facebook[18] Gmail is a registered trademark of GoogleConfidence in CyberspaceMay 2014MIT-005FS-2013
a modem/router as part of your service contract. To maximize administrative control over the routing and wireless features of your home network, use a personally-owned routing device that connects to the ISP-provided modem/router. Figure 1 depicts a typi
