Last week the SecTechno Information Security Blog brought to my addition some new home security guidelines in their article “NSA Presents ‘Best Practices for Keeping Your Home Network Secure’“. If you are an infosec pro, there’s nothing new here however it is a great little eight page reference on what home users should consider security-wise. It covers host-based recommendations for Windows and several Apple products, network recommendations, operational security/internet behavior recommendations, and enhanced protected recommendations.
The only provision is that I wouldn’t advise passing this along to your non-technical friends and family. Although the NSA’s recommendations cover a wide range of areas, it does not cover how to configure their best practices or suggest products in most cases. Given that they are writing a mostly technically-neutral guide I understand why; however, a typical home user wouldn’t even know where to start by themselves.
You can find the full guide here (PDF) but I’d like to make a few comments on some of their suggestions. In honor of Mothers’ Day I am viewing this in terms of how my Mom would view these suggestions.
|Windows Host OS|
|1. Migrate to a Modern OS and Hardware Platform||Here they recommended migrating up to Vista or 7. This is a good suggestion given the built-in protections in most modern-day OSs. I don’t see Mom upgrading her existing system but rather buying a new one to replace her 5 year old, slow-running Windows XP machine.|
|2. Install a Comprehensive Host-Based Security Suite||The NSA provides some general advice here but offers no suggestions. Even though they will slow down your computer, using one of the suites from Symantec (Norton Internet Security) or McAfee (Internet Security) are the obvious choices. There are many excellent other choices as well but I feel safe just recommending one of the big guys for Mom. My only wish here is that these companies would make some of their less resource intensive corporate solutions available to consumers.|
|3. Limit Use of the Administrator Account||This is a great suggestion for infosec pros but try explaining this to your Mom. After some frustration I see most of us just setting their account up as an administrator.|
|4. Use a Web Browser with Sandboxing Capabilities||They don’t mention any products here however I know this is one of Chrome’s big “selling” points.|
|5. Update to a PDF Reader with Sandboxing Capabilities||Although most of us probably run an alternative PDF reader like FoxIt or Sumatra, for the sake of simplicity Abobe Reader is probably the best choice for Mom. Just make sure she is running Adobe Reader 10.x or higher, which includes sandboxing.|
|6. Migrate to Microsoft Office 2007 or Later||Throughout the document they stay fairly product neutral however here is an exception. Come on … no love for Open Office? Unfortunately since the rest of the world relies on Microsoft Office, it would probably be best to take the plunge and setup Mom with 2007 or 2010.|
|7. Keep Application Software Up-to-Date||This is a great suggestion but often very hard to do in real life where you don’t have an IT department managing your computer. The NSA doesn’t offer any suggestions but my personal favorite when I was on Windows are the automatically applied Windows Updates for all Microsoft software and Secunia PSI for most third-party software.|
|8. Implement Full Disk Encryption (FDE) on Laptops||The NSA suggests using BitLocker however what if you are not using Windows Vista/7 Ultimate? Well, TrueCrypt is my personal favorite … best yet it’s free and open source. If you want to go commercial, then the consumer-focused PGP Whole Disk Encryption application seems like a win. Overall though, I see you setting this up for Mom. After that it should be pretty transparent to her.|
|Apple Host OS|
|1. Maintain an Up-to-Date OS||Similar to Windows, Apple automatically keeps their OSs (OS X and IOS) up to date. You might get a few calls from Mom asking if she should let the computer install the updates though.|
|2. Keep Third Party Application Software Up-to-Date||You can argue for or against Apple’s App Stores for OS X and IOS but one thing for sure is that it makes it dead simple to keep you applications up to date. If you don’t go that route, she’ll have to have manually check herself or depend on the application to notify her of updates (expect a support call almost immediately). My suggestion for Mom is to use the App Store as much as possible.|
|3. Limit Use of the Privileged (Administrator Account)||Running in this mode is no less complicated than on Windows. Again, you can try to set this up however I have a feeling that most of us will just give up and make her account an administrator.|
|4. Enable Data Protection on the iPad||I don’t have an iPad but I think this should be setup by default. The nice thing is that if it doesn’t, the NSA conveniently provides step-by-step instructions. Also don’t forget to encrypt your iTunes backups!|
|5. Implement FileVault on Mac OS Laptops||Well, Macs don’t include a built-in FDE feature like Windows Vista/7 Ultimate does. And unfortunately I haven’t been able to find any free versions similar to TrueCrypt’s FDE implementation. For this reason I recommend PGP’s Whole Disk Encryption solution again. In the near future when Lion comes out you won’t have to worry as Apple’s new OS will include FDE as a built-in feature. Of course the next best thing to FDE is to encrypt all the content in your “home” directory and OS X’s FileVault conveniently provides this functionality. When turning it on though don’t be turned off by the imposing warnings of loosing your data. After enabling your Mom shouldn’t notice the difference as it works fairly transparent.|
Get ready to become Mr. Helpdesk on all of these recommendations… I won’t go into too much detail here since my basic recommendation for all these is to do it for Mom instead of letting her try. These recommendations include making sure you have a secure 1. Home Network Design, 2. Implementing WPA2 at a minimum if you use a Wireless Network; 3. Limiting router Administration to the Internal Network, 4. Implementing an Alternate DNS Provider; and 5. Implementing Strong Passwords on all Network Devices. My only suggestion here is to use OpenDNS as an alternative DNS provider.
Well, I think this post is long enough for now. Be on the lookout for our follow-on post that covers NSA’s operational security/internet behavior and enhanced protected recommendations. Again, Happy Mother’s Day… See ya!