Originally published as Confidence in Cyberspace in May 2014 by the NSA.
As a user with access to sensitive corporate or government information at work, you are at risk at home. In order to gain access to information typically housed on protected work networks, cyber adversaries may target you while you are operating on your less secure home network.
Don’t be a victim. You can help protect yourself, your family, and your organization by following some common sense guidelines and implementing a few simple mitigations on your home network.
Personal computing devices include desktop computers, laptops, smartphones, and tablets. Because the bulk of your information is stored and accessed via these devices, you need to take special care in securing them.
The latest version of any operating system (OS) inevitably contains security features not found in previous versions. Many of these security features are enabled by default and help prevent common attack vectors. In addition, using a 64-bit OS on a 64-bit hardware platform substantially increases the effort for an adversary to obtain privileged access on your computer.
Install a comprehensive security suite that provides layered defense via anti-virus, anti-phishing, safe browsing, host-based intrusion prevention, and firewall capabilities. In addition, several security suites, such as those from McAfee, Norton, and Symantec, provide access to a cloud-based reputation service for leveraging corporate malware knowledge and history. Be sure to enable the suite’s automatic update service to keep signatures up to date.
In your operating system, the highly-privileged administrator (or root) account has the ability to access any information and change any configuration on your system. Therefore, web or email delivered malware can more effectively compromise your system if executed while you are logged on as an administrator. Create a nonprivileged “user” account for the bulk of your activities including web browsing, e-mail access, and document creation/editing. Only use the privileged administrator account for system reconfigurations and software installations/updates.
Visiting compromised or malicious web servers is a common attack vector. Consider using one of several currently available web browsers (e.g. Chrome, Safari) that provide a sandboxing capability. Sandboxing contains malware during execution, thereby insulating the underlying operating system from exploitation.
PDF documents are a popular mechanism for delivering malware. Use one of several commercial or open source PDF readers (e.g. Adobe, Foxit) that provide sandboxing capabilities and block execution of malicious embedded URLs (website links) within documents.
Attackers often exploit vulnerabilities in unpatched, outdated software applications running on your computing device. Enable the auto-update feature for applications that offer this option, and promptly install patches or a new version when pop-up notifications indicate an update is available. Since many applications do not have an automated update feature, use one of several third-party products, such as those from Secunia and eEye Digital Security, which can quickly survey installed software and report which applications are end-of-life or need patches or updates.
To prevent data disclosure in the event that a laptop is lost or stolen, implement FDE. Most modern operating systems offer a built-in FDE capability, for example, Microsoft’s BitLocker, Apple’s FileVault, or LUKS for Linux. If your OS does not offer FDE, use a third party product.
To minimize the risk of inadvertently downloading malware, only download software and mobile device apps from reputable sources. On mobile devices, grant apps only those permissions necessary to function, and disable location services when not needed.
Mobile devices such as laptops, smartphones, and tablets post additional concerns due to their ease of use and portability. To protect against theft of the device and the information on the device, maintain physical control when possible, enable automatic screen locking after a period of inactivity, and use a hard-to-guess password or PIN. If a laptop must be left behind in a hotel room when traveling, power it down and use FDE as discussed above.
Home network devices include modems/routers, wireless access points (WAPS), printers, and IP telephony devices. These devices control the flow of information into and out of your network and should be carefully secured.
Your Internet Service Provider (ISP) likely provides a modem/router as part of your service contract. To maximize administrative control over the routing and wireless features of your home network, use a personally-owned routing device that connects to the ISP-provided modem/router. A typical small office/home office (SOHO) network configuration usually provides the home user with a network that supports multiple systems as well as wireless networking and IP telephony services.
Both IPv6 and its predecessor, IPv4, are used to transfer communications on the Internet. Most modern operating systems use IPv6 by default. If IPv6 is enabled on your device, but not supported by other systems/networks to which you are communicating, some OSes will attempt to pass IPv6 traffic in an IPv4 wrapper using tunneling capabilities, Teredo, 6to4, or ISATAP (Intra-Site Automatic Tunnel Addressing Protocol). Because attackers could use these tunnels to create a hidden channel of communication to and from your system, you should disable tunneling mechanisms. In Windows, you can disable these through Device Manager (be sure to select “View hidden devices” under the View menu).
To prevent attackers from scanning your network, ensure your personally-owned routing device supports basic firewall capabilities. Also, verify it supports Network Address Translation (NAT) to prevent internal systems from being accessed directly from the Internet. Wireless Access Points (WAPS) generally do not provide these capabilities so it may be necessary to purchase a wireless router or a wired router in addition to the WAP. If your ISP supports IPv6, ensure your router supports IPv6 firewall capabilities in addition to IPv4.
To keep your wireless communication confidential, ensure your personal or ISP-provided WAP is using Wi-Fi Protected Access 2 (WPA2) instead of the much weaker, and easily broken Wired Equivalent Privacy (WEP) or the original WPA. When configuring WPA2, change the default key to a complex, hard-to-guess passphrase. Note that older client systems and access points may not support WPA2 and will require a software or hardware upgrade. When identifying a suitable replacement, ensure the device is WPA2-Personal certified.
To close holes that would allow an attacker to access and make changes to your network, on your network devices, disable the ability to perform remote/external administration. Always make network configuration changes from within your internal network.
The Domain Name System (DNS) associates domain names (e.g. www.example.com) with their numerical IP addresses. The ISP DNS provider likely does not provide enhanced security services such as the blocking and blacklisting of dangerous websites. Consider using either open source or commercial DNS providers to enhance web browsing security.
In addition to a strong and complex password on your WAP, use a strong password on any network device that can be managed via a web interface, including routers and printers. For instance, many network printers on the market today can be managed via a web interface to configure features such as e-mail alerts and logging. Without a password, or with a weak or default password, attackers could leverage these devices to gain access to your other internal systems.
Home entertainment devices, such as Blu-ray players, set-top video players (e.g. Apple TV), and video game controllers, are capable of accessing the Internet via wireless or wired connection. Although connecting these types of devices to a home network generally poses a low security risk, you can implement security measures to ensure these don’t become a weak link in your network.
Ensure the device is behind the home router/firewall to protect it from unfettered access from the Internet. In the case of a device that supports wireless, follow the Wireless LAN security guidance in this document.
Most home entertainment devices require you to sign up for additional services (e.g. PlayStation Network, Xbox Live, Netflix, Amazon Prime, iTunes). Follow the password guidance later in this document when creating and maintaining service accounts.
To prevent attackers from probing the network via home entertainment devices, if possible, disconnect these systems from the Internet when not in use. Some ISP modems/routers have a standby button you can use to disable the Internet connection.
In order to avoid revealing sensitive information about your organization or personal life, abide by the following guidelines while accessing the Internet.
Many establishments, such as coffee shops, hotels, and airports, offer wireless hotspots or kiosks for customers to access the Internet. Because the underlying infrastructure of these is unknown and security is often weak, these hotspots are susceptible to adversarial activity. If you have a need to access the Internet while away from home, follow these recommendations:
The exchange of information (e.g. e-mails, documents) between less-secure home systems and work systems via e-mail or removable media may put work systems at an increased risk of compromise. If possible, use organization-provided laptops to conduct all work business from home. For those business interactions that are solicited and expected, have the contact send work-related correspondence to your work, rather than personal, e-mail account.
Home networks consist of various combinations of wired and wireless devices and computers. Establish a level of trust based not only on a device’s security features but also its usage. For example, children typically are less savvy about security than adults and may be more likely to have malicious software on their devices. Avoid using a less savvy user’s computer for online banking, stock trading, family photograph storage, and other sensitive functions.
Personal information historically stored on a local computing device is steadily moving to on-demand Internet storage called the cloud. Information in the cloud can be difficult to permanently remove. Before posting information to these cloud-based services, ask yourself who will have access to your information and what controls do you have over how the information is stored and displayed. In addition, be aware of personal information already published online by periodically performing a search using an Internet search engine.
Social networking sites are a convenient means for sharing personal information with family and friends. However, this convenience also brings a level of risk. To protect yourself, do the following:
Application encryption (SSL or TLS) over the Internet protects the confidentiality of sensitive information while in transit when logging into web-based applications such as webmail and social networking sites. Fortunately, most web browsers enable SSL support by default.
When conducting sensitive personal activities such as account logins and financial transactions, ensure the web site uses SSL. Most web browsers provide some indication that SSL is enabled, typically a lock symbol either next to the URL for the web page or within the status bar along the bottom of the browser. Additionally, many popular web applications such as Facebook and Gmail have options to force all communication to use SSL by default.
Personal e-mail accounts, either web-based or local to the computer, are common attack targets. The following recommendations will help reduce exposure to e-mail-based threats:
Ensure that passwords and challenge responses are properly protected since they provide access to personal information.
Many phones and newer point-and-shoot cameras embed GPS location coordinates when a photo is taken. An attacker can use these coordinates to profile your habits/pattern of life and current location. Limit the exposure of these photos on the Internet to be viewable only by a trusted audience or use a third-party tool to remove the coordinates before uploading to the Internet. Some services such as Facebook automatically strip out the GPS coordinates in order to protect the privacy of their users.