Eight Layers of Security Every Computer Should Have
From using the latest version of your favorite browser to ensuring that your network has monitoring tools in place that send up red flags when they see unusual behaviors, be protected.
The National Security Agency earlier this month published a document titled "Best Practices for Keeping Your Home Network Secure" packed with tips to help home users keep their computers and networks secure. The list of recommendations is segregated into four sections, namely recommendations for host-based computers (Windows OS and Mac OS X), recommendations for the network, a section covering "OPSEC" or Operational Security, and a final part that has several "enhanced protection recommendations" rounding up the list.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
The 8-page document (pdf) is a worthwhile read, though I want to focus on the first two sections with its recommendations for host-based security and network today. I've listed the tips verbatim below, followed by my opinion on how they are applicable to the typical small- and mid-sized business.
Recommendations for Host-based Workstations
For Windows-based host machines, the NSA recommends that users:
- Migrate to a modern OS and hardware platform.
- Install a comprehensive host-based security suite.
- Limit use of the Administrator account.
- Use a Web browser with sandboxing capabilities.
- Update to a PDF reader with sandboxing capabilities.
- Migrate to Microsoft Office 2007 or later.
- Keep applications software up-to-date.
- Implement Full Disk Encryption (FDE) on laptops.
The advice to migrate to a "modern" operating system is a logical one, and in fact mirrors Microsoft's latest report that Windows 7 is far less likely to be infected with malware than older Windows XP-based machines. In this vein, the call to change the "hardware platform" is probably related to how newer versions of Windows are unlikely to work well on older hardware. Moving on, the importance of installing some form of anti-malware defenses is obvious, as with the suggestion not to use the administrator account for day-to-day access.
Interestingly, a number of the security recommendations pertain to the recommendation of using modern software designed and built with security in mind. Some software off the top of my head would include the likes of Google Chrome for Web browsing and Foxit Reader for viewing PDF files. Not surprisingly, businesses relying on older versions of Microsoft Office are also advised to migrate to Office 2007 or Office 2010. Finally, the use of full-disk encryption is recommended, no surprise given the propensity for laptops to be lost or stolen. This could be implemented via the use of software encryption such as BitLocker, or the installation of self-encrypting drives that I blogged about last week.
Recommendations for Networks
In addition, the NSA lists the following recommendations on the network front:
- Home network design
- Implement WPA2 on wireless network
- Limit Administration to internal networks
- Implement an alternate DNS provider
- Implement strong passwords on all network devices
The NSA recommends that a home Internet router be deployed to segregate the home networks from the Internet. On the same token, SMBs should consider the use of firewalls and proxy servers to more effectively shield themselves. In addition, Wi-Fi wireless networks should be configured for WPA2, a recommendation that I brought up on here back in 2008. This piece of advice is even more important now given recent news reports highlighting how criminals are now targeting SMBs with unsecured, vulnerable Wi-Fi networks. And while it may be tempting for administrators of SMBs to open the network equipment at branch offices for remote administration, this is not recommended. Similarly, strong passwords should be set on all network devices to protect them from brute-force hacking.
The tip to implement an alternate commercial DNS provider may seem bizarre initially, though it becomes less strange when you consider the abuse and security problems that can stem from hijacked domain name servers; users could conceivably be forwarded to malware-laden or phishing sites, for example. Do note, however, that many SMBs may already have signed up with more expensive leased lines, or broadband connections tailored for businesses. As such, the advice to adopt a third-party DNS provider may not be relevant here, though SMBs desiring a backup solution may easily configure Google Public DNS to serve as a tertiary DNS - ISPs generally offer two different DNSes.
Feel free to chip in below with any recommendations or suggestions.