Wednesday, 16 September 2015

Security

Given there are more and more things that want to take over your computer to do whatever they what,  whether it's to send spam,  steal bank and/or credit card details or in more recent cases ransom-ware like Cryptolocker and Cryptowall which prevent you from accessing your files unless you pay lots of money to decrypt them. 

Not all of them will be practical for everyone and is definitely not an exhaustive list of things you can do and there are plenty of other websites which will have similar recommendations. 

This is separated in to three parts, at your internet router, at your computer and finally a general section for things you can do to try and protect you from common issues on websites. 

Internet  Router

Firstly, if you have not already changed your routers login password from its default then change it. There are things that have been around for a few years which know how to log on to many routers and change the configuration on it so that nothing you do on any computer behind it can possibly be secure.  
At this point run a scan from grc.com's Shields Up service. A good result would be that there are no open or closed ports and all are stealth apart from those you have explicitly opened. 

While you are in there then consider changing the DNS servers from the ones your ISP has given you. A good example would be OpenDNS which you can configure it to prevent programs finding where their command and control servers are. Google also has DNS servers you can use. OpenDNS can also block other classes of sites so you can filter out inappropriate sites. 

If your router gives you sufficient control over firewall rules,  consider blocking or redirecting all DNS access other than to whitelisted DNS servers that you explicitly chose to use in the previous step. 

Turn off Universal Plug and Play in the router. This will prevent programs and malware from changing the firewall on their own without your knowledge. If you have devices like XBox which require it to be on then you may have to leave it on. 

Ensure encryption is WPA2 with a strong password.  It should not be WEP unless you have a device that cannot connect using the stronger WPA2. If necessary stick the password on a CD or USB Stick. 

Turn of Wifi-Protected Setup - it has numerous issues that mean it's not very secure. 

If your router allows you to segregate devices on their own network port then look at splitting things into different networks,  e.g. Guest network for friends, another for any "Internet of things" devices and another for your own devices like your computer, printer and phone. 

Update the firmware regularly to ensure that any security problems in the firewall that are fixed by the vendor are fixed.

Consider replacing router every few years if you haven't been getting updates to the router to fix security problems.

On Computer

Look Run as an un-privileged user for everything.

Install a decent anti-virus e.g ESET Nod32/ESET Smart security and keep it up-to-date.

To try and prevent things like cryptolocker then look at cryptoprevent. 

Keep all software up-to-date.  Windows Update.  Secunia PSI etc.

Uninstall/Turn off Flash
Remove java plugins in browsers

If you have the time and most of your software is signed with authenticode consider creating a Software Restriction Policy which prevents software that isn't whitelisted from running.

Consider running web browsers (and email clients) under sandboxie and explicitly limiting what the browser can read/write directly to.

Consider running an ad-blocker. Even if you don't care about adverts there are frequent reports of advert networks distributing adverts that have infected lots of computers.

If running Firefox consider running no script. 

Websites

Where a website provides two factor authentication use it - sites like Microsoft, Google, Facebook, Twitter, Linked in etc do and will send you a text message for you to enter when you log in.

If you have a Facebook 'Page' consider setting up another admin user as an owner that has a secure password etc so you can disable your main user if it gets compromised.

Have a different password per site - consider using a password manager like LastPass to keep track of your passwords so you can use a strong password that is harder to guess.

For sites like Facebook and Twitter which allow you to log in to other apps and websites then review the list of connected apps and revoke any that you do not recognise. Additionally if an app you are connecting is demanding to post on your behalf then until you trust it then set it so that "only me" is set as to the visibility of the posts. 


1 comment:

  1. I think when it comes to data security, mainly if it is related to business documentation or so, there should be really valuable data room due diligence services implemented. Data destruction may have a very high price in the business world.

    ReplyDelete