- May 12, 2000
- 9,359
- 2
- 0
I work professionally as a network security engineer and I have folks ask me often how they can protect their system, data and network at home. If you are like me you have a lot of personal data as well as financial data on your home network that could be very useful to a thief looking to steal your identity or drain your bank accounts. Keeping your system and data at home protected involves several methods working together to provide a multi layered defense. I employ all these methods at home. Some of them might seem like overkill, but to me it's worth it for piece of mind. You don't necessarily need to implement all of these methods.
Lets start with physical security:
1.) Keep all removable media containing sensitive data locked in a desk drawer or in a safe. Or better yet - don't keep any sensitive data on removable media other than for archiving purposes - this should be again locked in a desk drawer or safe when not in use.
2.) Use a steel computer case that uses a key lock to control access to inner components. This prevents people from physically stealing your hard drives and resetting your CMOS via the on board battery or jumper. Ideally this case has no "mesh" or windows. Even with a strong case with a key lock a determined thug will eventually get in, but the idea is that the added time to break into the case will make the gain not worth it.
3.) Place your computer case around your desk so that it isn't easily removed. My desk has a little cubby for tower cases that fits my case very well. It's a real bear to remove and would most likely be to much of a hassle for a smash and grab crook looking to get in and out of your home quickly. You can use a computer lock with a steel cable to tether your PC to your desk as an added step that will most likely make the PC not worth it to burglars.
Now for some pre-OS technical steps.
1.) Set a BIOS password. This will prevent anyone from booting the PC or accessing the BIOS without entering said password. Yes this is just one more password to remember, but if you should happen to forget you can reset your CMOS and start over.
2.) Remove optical drives, other hard drives, floppy drives, USB ports and card readers from your BIOS boot list/order. The only item in the list should be the drive containing the OS you plan to boot from. This will prevent a thief from using a live OS to boot your system and access your data.
*remember, a thief can easily bypass these steps if they are smart by simply resetting the CMOS on the motherboard. If you haven't implemented physical security methods to keep them out of the case and from taking the entire case you are only going to stop a non-technical, novice crook.
Next is post-OS boot technical steps.
1.) Drive encryption. There is a huge variety of drive encryption products out there. Some offer better levels of encryption than others, but most all will get the job done. Encrypt your boot drive as well as any other hard drives in the system. If a crook manages to steal the actual drives from your system he won't be able to do anything with the garbled data without considerable effort that is beyond most folks.
2.) Run an Anti-Virus software with the "on-access" scan running. Setup nightly or bi-nightly scans of all hard drives via the program's scheduler. Setup separate scans for running processes and files in memory. Set the definition update to daily.
3.) Run an Anti-Spyware software with similar scheduling to your Anti-Virus. You may be able to incorporate both of these into one product. There are a ton of products out there, many of them free of charge.
4.) Run a FireWall software set to the highest level of protection (block everything incoming and outgoing). You will have to setup exceptions for any traffic you want to let in/out for example HTTP traffic (web), a game, your POP-email application, etc. The XP firewall is really not going to cut it.
5.) Run an intrusion protection software. Like the Anti-Virus/SpyWare software this can sometimes be combined into a single product of FireWall/Intrusion protection. I have my intrusion protection software setup to email me whenever someone attempts to get in - I receive this email on my smart phone - I can then remotely shutdown the system to effectively stop the attack. Setting up something like this is a little tricky for the average user I will admit, but it is a means to stop an attack without actually being at home. I don't know about you but I am not at home all day.
6.) Keep your operating system and core applications up to date with patches, security fixes, etc from the software developer. We all know this is mostly aimed right at Microsoft. If you don't install these updates you run the risk of being compromised via an exploit that Anti-Virus, Anti-Spyware, FireWall and Intrusion Protection most likely will NOT catch or deter.
7.) This seems like a no brainier but a ton of folks don't do it. Set a password to the administrator account of your OS and if possible, rename the account. Also take this opportunity to disable any other accounts you do NOT use. I also like to do my day to day computing with an account that does not have administrator privileges. This can become somewhat of a pain at times but it's worth it in my opinion.
Last but not least, network technical steps.
1.) If you have a Wi-Fi access point at home, maybe incorporated into a router or switch, and do not use the Wi-Fi simply turn it off. This removes a huge open door to your home network.
2.) Lock down your Wi-Fi access point with a MAC address filter and encrypt the connection. There is nothing high-tech about Wi-Fi, it is simply radio waves that can be intercepted by just about anyone with a quick trip to RadioShack. I generally don't recommend using Wi-Fi at all. A wired network is much tougher to breach because the only way in is through the internet or physically being on the network. Lastly, if you do intend to use Wi-Fi, after you have all your devices connected, disable the SSID broadcast. This will effectively cloak your access point from most people.
3.) Use a hardware FireWall. Most Router/Wi-Fi combos these days come with a hardware FireWall built in but it is generally turned OFF by default. You should configure this FireWall just as you have with the software firewall on your PC. Block everything and then setup your exceptions. I like to use a separate hardware firewall that sits in between my internet connection and my router. This is something that large corporations have been doing for a long time. This can be done at home as well through "appliances" from a number of manufacturers or with an old PC running a Linux firewall product. In fact if you REALLY want to be secure from the outside you can "stack" FireWalls on top of each other. If a hacker breaks one level there is another right behind it. This is usually overkill for most people at home but is extremely effective.
I hope someone can get some use out of this checklist. This has been a "general overview" and doesn't go into a huge amount of detail. I could easily fill several pages on each one of these methods with configuration and product recommendations - the security field is that in depth. For now you can Google most of these methods or experiment on your own if you need instructions in implementing them.
Good luck and I hope you are one step closer to being secure!
Lets start with physical security:
1.) Keep all removable media containing sensitive data locked in a desk drawer or in a safe. Or better yet - don't keep any sensitive data on removable media other than for archiving purposes - this should be again locked in a desk drawer or safe when not in use.
2.) Use a steel computer case that uses a key lock to control access to inner components. This prevents people from physically stealing your hard drives and resetting your CMOS via the on board battery or jumper. Ideally this case has no "mesh" or windows. Even with a strong case with a key lock a determined thug will eventually get in, but the idea is that the added time to break into the case will make the gain not worth it.
3.) Place your computer case around your desk so that it isn't easily removed. My desk has a little cubby for tower cases that fits my case very well. It's a real bear to remove and would most likely be to much of a hassle for a smash and grab crook looking to get in and out of your home quickly. You can use a computer lock with a steel cable to tether your PC to your desk as an added step that will most likely make the PC not worth it to burglars.
Now for some pre-OS technical steps.
1.) Set a BIOS password. This will prevent anyone from booting the PC or accessing the BIOS without entering said password. Yes this is just one more password to remember, but if you should happen to forget you can reset your CMOS and start over.
2.) Remove optical drives, other hard drives, floppy drives, USB ports and card readers from your BIOS boot list/order. The only item in the list should be the drive containing the OS you plan to boot from. This will prevent a thief from using a live OS to boot your system and access your data.
*remember, a thief can easily bypass these steps if they are smart by simply resetting the CMOS on the motherboard. If you haven't implemented physical security methods to keep them out of the case and from taking the entire case you are only going to stop a non-technical, novice crook.
Next is post-OS boot technical steps.
1.) Drive encryption. There is a huge variety of drive encryption products out there. Some offer better levels of encryption than others, but most all will get the job done. Encrypt your boot drive as well as any other hard drives in the system. If a crook manages to steal the actual drives from your system he won't be able to do anything with the garbled data without considerable effort that is beyond most folks.
2.) Run an Anti-Virus software with the "on-access" scan running. Setup nightly or bi-nightly scans of all hard drives via the program's scheduler. Setup separate scans for running processes and files in memory. Set the definition update to daily.
3.) Run an Anti-Spyware software with similar scheduling to your Anti-Virus. You may be able to incorporate both of these into one product. There are a ton of products out there, many of them free of charge.
4.) Run a FireWall software set to the highest level of protection (block everything incoming and outgoing). You will have to setup exceptions for any traffic you want to let in/out for example HTTP traffic (web), a game, your POP-email application, etc. The XP firewall is really not going to cut it.
5.) Run an intrusion protection software. Like the Anti-Virus/SpyWare software this can sometimes be combined into a single product of FireWall/Intrusion protection. I have my intrusion protection software setup to email me whenever someone attempts to get in - I receive this email on my smart phone - I can then remotely shutdown the system to effectively stop the attack. Setting up something like this is a little tricky for the average user I will admit, but it is a means to stop an attack without actually being at home. I don't know about you but I am not at home all day.
6.) Keep your operating system and core applications up to date with patches, security fixes, etc from the software developer. We all know this is mostly aimed right at Microsoft. If you don't install these updates you run the risk of being compromised via an exploit that Anti-Virus, Anti-Spyware, FireWall and Intrusion Protection most likely will NOT catch or deter.
7.) This seems like a no brainier but a ton of folks don't do it. Set a password to the administrator account of your OS and if possible, rename the account. Also take this opportunity to disable any other accounts you do NOT use. I also like to do my day to day computing with an account that does not have administrator privileges. This can become somewhat of a pain at times but it's worth it in my opinion.
Last but not least, network technical steps.
1.) If you have a Wi-Fi access point at home, maybe incorporated into a router or switch, and do not use the Wi-Fi simply turn it off. This removes a huge open door to your home network.
2.) Lock down your Wi-Fi access point with a MAC address filter and encrypt the connection. There is nothing high-tech about Wi-Fi, it is simply radio waves that can be intercepted by just about anyone with a quick trip to RadioShack. I generally don't recommend using Wi-Fi at all. A wired network is much tougher to breach because the only way in is through the internet or physically being on the network. Lastly, if you do intend to use Wi-Fi, after you have all your devices connected, disable the SSID broadcast. This will effectively cloak your access point from most people.
3.) Use a hardware FireWall. Most Router/Wi-Fi combos these days come with a hardware FireWall built in but it is generally turned OFF by default. You should configure this FireWall just as you have with the software firewall on your PC. Block everything and then setup your exceptions. I like to use a separate hardware firewall that sits in between my internet connection and my router. This is something that large corporations have been doing for a long time. This can be done at home as well through "appliances" from a number of manufacturers or with an old PC running a Linux firewall product. In fact if you REALLY want to be secure from the outside you can "stack" FireWalls on top of each other. If a hacker breaks one level there is another right behind it. This is usually overkill for most people at home but is extremely effective.
I hope someone can get some use out of this checklist. This has been a "general overview" and doesn't go into a huge amount of detail. I could easily fill several pages on each one of these methods with configuration and product recommendations - the security field is that in depth. For now you can Google most of these methods or experiment on your own if you need instructions in implementing them.
Good luck and I hope you are one step closer to being secure!