Protect Your Home Network


When discussing how to protect corporate networks, we often get asked about advice for home networks.  The principles are very similar, but we need to make allowances for budget, desired user experience, and effort to maintain.  This post is Windows centric, since that is still the most common operating system.

1) DNS is a good place to increase security, especially when switching from the DNS provided by your ISP. OpenDNS is a DNS alternative that offers malware site protection and proactively blocks access to malicious sources, greatly reducing the risk of infections.  OpenDNS stops known bots on your network from phoning home. Since bots rely on DNS to connect to their master for instructions, OpenDNS can block that communication path. When they see a request for a known malicious site, they block the domain from resolving and notify you.  You can apply the settings for OpenDNS to your home network DHCP servers so every device will use the OpenDNS servers to resolve URLs instead of the ISP DNS servers.  The IP addresses of the OpenDNS servers are 208.67.222.222 and 208.67.220.220.

OpenDNS provides a corporate solution used by some of the largest corporate organizations in the world.  However, this is free for home use.  You can create a free account tied to your home network and also provide content filtering for children.

2) WinPatrol monitors and exposes adware, keyloggers, spyware, worms, cookies, and other malicious software. This program puts you back in control of your computer with no need for constant updates. WinPatrol’s goal is to help you better understand what programs are running on your computer and to alert you to any new programs added without your permission. Unlike traditional security programs, WinPatrol doesn’t scan your hard drive searching for previously identified threats. Instead, it uses a heuristic behavioral approach, taking a snapshot of your critical system resources, and then alerting you to any changes that occur without your knowledge.

3) Use Chrome as your browser.  Most hackers regards Chrome as providing the most security when browsing.  Google Chrome is based on the open source Chromium project. It differs in that it includes Adobe Flash Player, a PDF viewer, an auto-updater, as well as support for closed source codecs.  Chrome does an excellent job of blocking access to malicious websites, phishing websites, and preventing download of known malware.

adsafe

 

  • Use an extension like ScriptSafe.  ScriptSafe automatically stops scripts like JavaScript from running on webpages, which is vital because these scripts are heavily exploited by attackers. Users can create a ‘whitelist’ of permitted sites that can use JavaScript — trustworthy sites unlikely to be successfully attacked — which is a good things, since many sites rely on JavaScript to perform completely.  WARNING – you will have to explicitly trust every single website that has JavaScript and this plug-in will cause problems with certain websites.  While increasing security, this will greatly change you browsing user experience, so experiment to determine your tolerance for pain (unlike AdBlock).

scriptsafe

 

4) Install the Enhanced Mitigation Experience Toolkit (EMET – http://www.microsoft.com/en-us/download/details.aspx?id=41138#).  This free Microsoft toolkit includes several pseudo mitigation technologies aimed at disrupting current exploit techniques – specially the memory attacks that application whitelisting and anti-virus don’t catch. These pseudo mitigations are not robust enough to stop future exploit techniques, but can help prevent users from being compromised by many of the exploits currently in use. The mitigations are also designed so that they can be easily updated as attackers start using new exploit techniques.

 

emet

 

5) Use strong passwords and keep them secret

  • Strong passwords are at least 14 characters long and include a combination of letters, numbers, and symbols. For commonly used passwords (wireless passwords, master passwords, etc.) use a sentence that has special characters and upper case/lower case.  The length of the sentence is the most important for brute force attacks and adding special characters greatly increases the bit strength.  An example would be “Ireallyhatepasswords!@#”
  • Don’t use the same password on all sites. If it is stolen, all the information it protects is at risk.  Roboform, LastPass, or equivalent is a good tool to ensure you are using very strong and unique passwords for every website.  The master password should be unique and only used with the password application.  Keepass is a free, open source version available at http://keepass.info/.  Keepass is also available on Android and iOS devices.
  • Create different strong passwords for the router and the wireless key of your wireless connection at home.
  • Use a guest network to segment guests, kids that come over, relatives, etc. from your home network.  You never know what could be connecting to your network.

6) Protect your wireless network by following the steps at  http://www.wikihow.com/Secure-Your-Wireless-Home-Network (with maybe a caveat that we don’t believe MAC address filtering to be that useful).

  • Enable encryption on your access point using WPA2 (Not WEP).
  • Set a strong router access password. Don’t use easily guessed passwords for your WPA2 or router access passwords, such as “ABC123″, “Password”, or a string of numbers in order. Use something hard to guess that contains both upper and lowercase letters as well as numbers. Special characters such as !@#$% are not supported by some routers. The longer the key, the better, although the WPA2 key has a minimum and maximum length.
  • Do not disable the ‘SSID Broadcast’ feature of your Access Point or router. This seems counter-intuitive, but it is actually a bad idea. Although this would make your network invisible to your neighbors, any determined hacker can still sniff out your SSID; and you are implicitly forcing your computer to shout out your SSID anywhere you are, while it is trying to connect to it. Anyone could then impersonate your router with that SSID, and get your credentials that way.
  • Disable wireless administration. Finally, change the setting that allows administrating the router through a wireless connection to ‘off’ (meaning that you need to connect with a LAN cable for administration). This disables any wireless hacking into the router.

7) Use flash drives and unknown DVD/CDs cautiously.  Minimize the chance that you’ll infect your computer with malware:

  • Don’t put an unknown flash (or thumb) drive into your PC.
  • Hold down the SHIFT key when you insert the drive into your computer. If you forget to do this, click  in the upper-right corner to close any flash drive-related pop-up windows.
  • Don’t open files on your drive that you’re not expecting.

8) Use anti-virus to guard against viruses, spyware, and other evil software. It provides real-time protection for your home or small business PCs.  Microsoft AV is free and designed it to be simple to install and easy to use. It runs quietly and efficiently in the background.

  • http://windows.microsoft.com/en-US/windows/products/security-essentials
  • Ensure you are using Windows 7 or  Windows 8.1 and turn on Windows Update with daily/automatic updates.  SlimDrivers is a good free utility to find out of date drivers that Windows Update misses.
  • Secunia is a free computer security solution that identifies vulnerabilities in non-Microsoft (third-party) programs which can expose PCs to attacks. Simply put, it is scanning software which identifies programs in need of security updates to safeguard the data on your PC against cybercriminals. It then supplies your computer with the necessary software security updates to keep it safe.
  • Avira, AVG, and Avast are other good free choices to protect the host operating system.
  • Comodo Endpoint protect is another excellent option that includes application whitelisting.

9) If you do think you have a malware infection there are some excellent free tools to help:

  • The Microsoft Safety Scanner is a free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software (http://www.microsoft.com/security/scanner/en-us/default.aspx).
  • Malwarebytes Anti-Malware is a surprisingly effective freeware antimalware tool. It’s a relatively speedy malware remover, with the quick scan taking about 8 minutes even with other high-resource programs running. (http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html).  All of our computers run Malwarebytes, EMET, and anti-virus.
  • Before you try to remove the malware, it is probably important to back up important files and data.  Buy a a USB stick and install a copy of  Dr.Web LiveCD (http://www.freedrweb.com/livecd/how_it_works).  Dr.Web LiveCD will clean your computer of infected and suspicious files, help you copy important information to a removable data storage device or another computer, and then attempt to cure infected objects.

10) Most people replace PCs every few years or so.  Ensure you wipe all the data from the hard drives of the old machines to avoid problems.  Use a tool like CCleaner before disposing of a laptop or giving to a friend/relative.  CCleaner can also scrub free space left on a disk.  This is useful is you are giving a PC to a friend or relative and don’t want to wipe the operating system.