3. Limit Use Of The Administrator Account Recommendations

2y ago
34 Views
2 Downloads
930.29 KB
8 Pages
Last View : 15d ago
Last Download : 2m ago
Upload by : Annika Witter
Transcription

As a user with access to sensitive corporateor government information at work , you areat risk at home. In order to gain access toinformation typically housed on protected worknetworks, cyber adversaries may target youwh ile you are operating on your less securehome network.Don't be a victim. You can help protectyourself, your family, and your organization byfollowing some common sense guidelines andimplementing a few simple mitigations on yourhome network.Personal Computing DeviceRecommendationsPersonal computing devices include desktopcomputers , laptops , smartphones , and tablets.Because the bulk of your information is storedand accessed via these devices, you need totake special care in securing them .1. Migrate to a Modern Operating Systemand Hardware PlatformThe latest version of any operating system(OS) inevitably contains security features notfound in previous versions . Many of thesesecurity features are enabled by defaultand help prevent common attack vectors .In addition , using a 64-bit OS on a 64-bithardware platform substantially increases theeffort for an adversary to obtain privilegedaccess on your computer.2. Install A Comprehensive Security SuiteInstall a comprehensive security suite thatprovides layered defense via anti-virus , antiphishing , safe browsing , host-based intrusionprevention , and firewall capabilities . Inaddition , several security suites , such as thosefrom McAfee 11, Norton ! 2 l, and Symantec [ 3l,provide access to a cloud-based reputationservice for leveraging corporate malwareknowledge and history. Be sure to enablethe su ite's automatic update service to keepsignatures up to date .3. Limit Use of the Administrator AccountIn your operating system , the highlyprivileged administrator (or root) accounthas the ability to access any information andchange any configuration on your system .Therefore, web or email delivered malwarecan more effectively comprom ise yoursystem if executed while you are logged onas an administrator. Create a nonprivileged"user" account for the bulk of your activitiesincluding web browsing , e-mail access , anddocument creation/editing . Only use theprivileged administrator account for systemreconfigurations and software installations/updates.4. Use a Web Browser with Sand boxingCapabilitiesVisiting compromised or malicious webservers is a common attack vector. Consider

using one of several currently available webbrowsers (e.g. Chrome [4l, Safari [5l) thatprovide a sandboxing capability. Sandboxingcontains malware during execution , therebyinsulating the underlying operating systemfrom exploitation .5. Use a PDF Reader with Sand boxingCapabilitiesPDF documents are a popular mechanismfor delivering malware. Use one of severalcommercial or open source PDF readers(e.g. Adobe (sJ, Foxi 7 l ) that provide sandboxingcapabilities and block execution of maliciousembedded URLs (website links) withindocuments.6. Update Application SoftwareAttackers often exploit vulnerabilities inunpatched , outdated software applicationsrunning on your computing device . Enablethe auto-update feature for applications thatoffer this option , and promptly install patchesor a new version when pop-up notificationsindicate an update is available. Since manyapplications do not have an automatedupdate feature, use one of several third-partyproducts, such as those from Secunia andeEye Digital Security [8], which can quicklysurvey installed software and report whichapplications are end-of-life or need patchesor updates .7. Implement Full Disk Encryption (FOE)on LaptopsTo prevent data disclosure in the event thata laptop is lost or stolen , implement FOE .Most modern operating systems offer a builtin FOE capability, for example Microsoft'sBitlocker [9], Apple's Filevault [1 0] , or LUKSfor Linux. If your OS does not offer FOE , use athird party product. .8. Download Software Only from TrustedSourcesTo minimize the risk of inadvertentlydownloading malware, only download softwareand mobile device apps from reputablesources. On mobile devices, grant apps onlythose permissions necessary to function , anddisable location services when not needed .9. Secure Mobile DevicesMobile devices such as laptops , smartphones ,and tablets pose additional concerns due totheir ease of use and portability. To protectagainst theft of the device and the informationon the device , maintain physical control whenpossible, enable automatic screen lockingafter a period of inactivity, and use a hard-toguess password or PIN. If a laptop must be leftbehind in a hotel room while travelling , powerit down and use FOE as discussed above .Network RecommendationsHome network devices include modems/routers , wireless access points (WAPs) ,printers, and IP telephony devices. Thesedevices control the flow of information intoand out of your network, and should becarefully secured .1. Configure a Flexible Home NetworkYour Internet Service Provider (ISP) likelyprovides a modem/router as part of yourservice contract. To maximize administrativecontrol over the routing and wireless featuresof your home network, use a personallyowned routing device that connects to theISP-provided modem/router. Figure 1 depictsa typical small office/home office (SOHO)network configuration that provides the homeuser with a network that supports multiplesystems as well as wireless networking andIP telephony services.,,.

DSUCable ModemProvided by ISPNetwork SwitchConnectionFrom ISPAccess PointPurchased ByHome UserAdapterFigure 1: Typical SOHO Configuration2. Disable Internet Protocol Version 6(1Pv6) TunnelingBoth 1Pv6 and its predecessor, 1Pv4, are usedto transfer communications on the Internet.Most modern operating systems use 1Pv6 bydefault. If 1Pv6 is enabled on your device, butnot supported by other systems/networks towhich you are communicating, some OSes willattempt to pass 1Pv6 traffic in an 1Pv4 wrapperusing tunneling capabilities such as Teredo,6to4 , or ISATAP (Intra-Site Automatic TunnelAddressing Protocol). Because attackers coulduse these tunnels to create a hidden channelof communication to and from your system ,you should disable tunneling mechanisms.In Windows , you can disable these throughDevice Manager (be sure to select "Viewhidden devices" under the View menu) .3. Provide Firewall CapabilitiesTo prevent attackers from scanning yournetwork, ensure your personally-owned routingdevice supports basic firewall capabilities.Also verify that it supports Network AddressTranslation (NAT) to prevent internal systemsfrom being accessed directly from the Internet.Wireless Access Points (WAPs) generally donot provide these capabilities so it may benecessary to purchase a wireless router, or awired router in addition to the WAP. If your ISPsupports 1Pv6, ensure your router supports1Pv6 firewall capabilities in addition to 1Pv4.4. Implement WPA2 on the WirelessNetworkTo keep your wireless communicationconfidential , ensure your personal or ISPprovided WAP is using Wi-Fi ProtectedAccess 2 (WPA2) instead of the much weaker,and easily broken Wired Equivalent Privacy(WEP) or the original WPA. When configuringWPA2 , change the default key to a complex ,hard-to-guess passphrase . Note that olderclient systems and access points may notsupport WPA2 and will require a software orhardware upgrade. When identifying a suitablereplacement, ensure the device is WPA2Personal certified .5. Limit Administration to theInternal NetworkTo close holes that would allow an attacker toaccess and make changes to your network,on your network devices , disable the abilityto perform remote/external administration .Always make network configuration changesfrom within your internal network.6. Implement an Alternate DNS ProviderThe Domain Name System (DNS) associatesdomain names (e .g . www.example .com) withtheir numerical IP addresses. The ISP DNSprovider likely does not provide enhancedsecurity services such as the blocking andblacklisting of dangerous web sites. Considerusing either open source or commercial DNSproviders to enhance web browsing security.7. Implement Strong Passwords on allNetwork DevicesIn addition to a strong and complex passwordon your WAP, use a strong password on anynetwork device that can be managed via aweb interface, including routers and printers .For instance , many network printers on themarket today can be managed via a web

interface to configure services, determine jobstatus , and enable features such as e-mailalerts and logging. Without a password , or witha weak or default password , attackers couldleverage these devices to gain access to yourother internal systems .Home Entertainment DeviceRecommendationsHome entertainment devices , such as bluray players, set-top video players (e.g. AppleTV 11 1), and video game controllers , arecapable of accessing the Internet via wirelessor wired connection. Although connectingthese types of devices to a home networkgenerally poses a low security risk , you canimplement security measures to ensure thesedon't become a weak link in your network.1. Protect the Device within the NetworkEnsure the device is beh ind the home router/firewall to protect it from unfettered accessfrom the Internet. In the case of a device thatsupports wireless , follow the Wireless LANsecurity guidance in this document.2. Use Strong Passwords for ServiceAccountsMost home entertainment devices requireyou to sign up for additional services (e .g.Playstation !12J Network , Xbox Live 131,Netflix 141, Amazon Prime 151, iTunes 161) .Follow the password guidance later in thisdocument when creating and maintainingservice accounts.3. Disconnect When Not in UseTo prevent attackers from probing the networkvia home entertainment devices , if possible ,disconnect these systems from the Internetwhen not in use . Some ISP modems/routershave a standby button you can use to disablethe Internet connection .Internet BehaviorRecommendationsIn order to avoid revealing sensitiveinformation about your organization orpersonal life , abide by the following guidelineswhile accessing the Internet.1. Exercise Caution when AccessingPublic HotspotsMany establishments , such as coffee shops,hotels , and airports, offer wireless hotspots orkiosks for customers to access the Internet.Because the underlying infrastructure ofthese is unknown and security is often weak ,these hotspots are susceptible to adversarialactivity. If you have a need to access theInternet while away from home , follow theserecommendations : If possible , use the cellular network (that is,mobile Wi-Fi, 3G or 4G services) to connectto the Internet instead of wireless hotspots .This option often requires a service plan witha cellular provider. Set up a confidential tunnel to a trustedvirtual private network (VPN) serviceprovider (for example , StrongSwan 'sStrongVPN) . This option can protect yourtraffic from malicious activities such as .monitoring . However, use of a VPN carriessome inconvenience , overhead , and oftencost. Additionally, you are still vulnerableduring initial connection to the public networkbefore establishing the VPN . If using a hotspot is the only option fo raccessing the Internet, limit activities toweb browsing . Avoid accessing servicessuch as banking websites that requ ire usercredentials or entering personal information .

2. Do Not Exchange Home and WorkContent5. Take Precaustions on SocialNetworking SitesThe exchange of information (e.g . e-mails,documents) between less-secure homesystems and work systems via e-mail orremovable media may put work systems atan increased risk of compromise . If possible ,use organization-provided laptops to conductall work business from home. For thosebusiness interactions that are solicited andexpected , have the contact send work-relatedcorrespondence to your work , rather thanpersonal , e-mail account.Social networking sites are a convenientmeans for sharing personal information withfamily and friends. However, this conveniencealso brings a level of risk. To protect yourself,do the following :3. Be Cognizant of Device Trust LevelsHome networks consist of variouscombinations of wired and wireless devicesand computers . Establish a level of trust basednot only on a device's security features, butalso its usage. For example , children typicallyare less savvy about security than adults andmay be more likely to have malicious softwareon their devices. Avoid using a less savvyuser's computer for online banking , stocktrading , family photograph storage , and othersensitive functions .4. Be Wary of Storing PersonalInformation on the InternetPersonal information historically stored ona local computing device is steadily movingto on-demand Internet storage called thecloud . Information in the cloud can be difficultto permanently remove . Before postinginformation to these cloud-based services,ask yourself who will have access to yourinformation and what controls do you haveover how the information is stored anddisplayed . In addition , be aware of personalinformation already published online byperiodically performing a search using anInternet search engine. Think twice about posting informationsuch as address, phone number, place ofemployment, and other personal informationthat can be used to target or harass you . If available, limit access of your informationto "friends only" and attempt to verify anynew sharing requests either by phone orin person . Take care when receiving content (suchas third-party applications) from friendsbecause many recent attacks delivermalware by taking advantage of the easewith which content is generally acceptedwithin the social network community. Periodically review the security policies andsettings available from your social networkprovider to determine if new featuresare available to protect your personalinformation. For example, some socialnetworking sites now allow you to opt-outof exposing your personal information toInternet search engines. Follow friends ' profiles to see whetherinformation posted about you might bea problem .6. Enable the Use of SSL EncryptionApplication encryption (SSL or TLS) over theInternet protects the confidentiality of sensitiveinformation while in transit when logging intoweb based applications such as webmail andsocial networking sites . Fortunately, most webbrowsers enable SSL support by default.

When conducting sensitive personal activitiessuch as account logins and financialtransactions , ensure the web site uses SSL.Most web browsers provide some indicationthat SSL is enabled , typically a lock symboleither next to the URL for the web pageor within the status bar along the bottomof the browser. Additionally, many popularweb applications such as Facebook [17 land Gmail [ 18l have options to force allcommun ication to use SSL by default.those e-mails with embedded links, open abrowser and navigate to the web site directlyby its well-known web address or search forthe site using an Internet search engine. Be wary of any e-mail requesting personalinformation such as a password or socialsecurity number as any web service withwhich you currently conduct business shouldalready have this information .8. Protect Passwords7. Follow E-mail Best PracticesPersonal e-mail accounts , either web-basedor local to the computer, are common attacktargets. The following recommendations willhelp reduce exposure to e-mail-based threats: Use different usernames for home and worke-mail addresses. Unique usernames makeit more difficult for someone targeting yourwork account to also target you via yourpersonal accounts. To prevent reuse of compromisedpasswords , use different passwords for eachof your e-mail accounts . Do not set out-of-office messages onpersonal e-mail accounts , as this can confirmto spammers that your e-mail address islegitimate and can provide information tounknown parties about your activities. To prevent others from reading e-mailwhile in transit between your computer andthe mail server, always use secure e-mailprotocols (Secure IMAP or Secure POP3) ,particularly if using a wireless network. Youcan configure these on most e-mail clients ,or select the option to "always use SSL" forweb-based e-mail. Consider unsolicited e-mails contain ingattachments or links to be suspicious . If theidentity of the sender cannot be verified ,delete the e-mail without opening . ForEnsure that passwords and challengeresponses are properly protected since theyprovide access to personal information . Passwords should be strong , uniquefor each account, and difficult to guess .Consider using a passphrase that you caneasily remember, but which is long enoughto make p(:!ssword cracking more difficult. Disable the feature that allows web sites orprograms to remember passwords . Many online sites make use of passwordrecovery or challenge questions. Youranswers to these questions should besomething that no one else would know orfind from Internet searches or public records .To prevent an attacker from leveragingpersonal information about yourself toanswer challenge questions , considerproviding a false answer to a fact-basedquestion , assuming the response is uniqueand memorable . Use two-factor authentication when availablefor accessing webmail , social networking ,and other accounts. Examples of two-factorauthentication include a one-time passwordverification code sent to your phone , ora login based on both a password andidentification of a trusted device .

9. Avoid Posting Photos.with GPSCoordinatesMany phones and newer point-and-shootcameras embed GPS location coordinateswhen a photo is taken. An attacker can usethese coordinates to profile your habits/patternof life and current location. Limit the exposureof these photos on the Internet to be viewableonly by a trusted audience or use a thirdparty tool to remove the coordinates beforeuploading to the Internet. Some services suchas Facebook automatically strip out the GPScoordinates in order to protect the privacy oftheir users .Internet Protocol Version 6:http://www.nsa.gov/ia/ files/factsheets/Factsheet-1Pv6.pdfSecurity Tips for Personally-ManagedApple iPhones and iPads :http://www. nsa. govlia/ files/facts heets/iphonetips-image.pdfSecurity Highlights of Windows 7:http://www.nsa.gov/ia/ files/os/win7/win7security highlights. pdfReferences[1] McAfee is a registered trademark of McAfee , Inc.[2] Norton is a registered trademark of SymantecAdditional GuidanceSocial Networking:http://www.nsa.gov/ia/ files/factsheets/173021 R-2009.pdf[3] Symantec is a registered trademark of Symantec[4] ChromeTM is a trademark of Google[5] Safari is a reg istered trademark of Apple[6] Adobe is a registered trademark of Adobe Systems, Inc.[7] Foxit is a registered trademark of Foxit Corp.[8] eEye Digital Security is a registered trademark of eEye , Inc.Mitigation MondayDefense Against Malicious E-mailAttachments :http://www.nsa.gov/ia/ files/factsheets/MitigationMonday.pdfMitigation Monday #2 Defense Against Drive By Downloads:http://www. nsa .govlia/ files/fa ctsheets/1733-011 R-2009.pdf[9] Bitlocker is a registered trademark of Microsoft[1 0] Filevault is a registered trademark of Apple[11] Apple TV is a registered trademark of Apple[12] Playstation is a registered trademark of Sony[13] Xbox Live is a registered trademark of Microsoft[14] Netflix is a registered trademark of Netflix.com , Inc.[15] Amazon Prime is a registered trademark of AmazonTechnologies , Inc.[16] iTunes is a registered trademark of Apple[17] Facebook is a registered trademark of Facebook[18] Gmail is a registered trademark of GoogleHardening TipsMac OSX 10.6 Hardening Tips:http://www. nsa. gov/ia/ fi les/factsheets/macosx 1 0 6 hardeningtips.pdfEnforcing No Internet or E-mail fromPrivileged Accounts:http://www. nsa.gov /ia/ files/facts heets/Final 49635Nonlnternetsheet91.pdfHardening Tips for the Default Installationof Red Hat Enterprise Linux 5:http://www. nsa. gov/ia/ fi les/factsheets/rhel5-pamphlet-i731.pdfDisc

knowledge and history. Be sure to enable the suite's automatic update service to keep signatures up to date. 3. Limit Use of the Administrator Account In your operating system, the highly-privileged administrator (or root) account has the ability to access any information and change any configuration on your system.

Related Documents:

May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)

Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .

On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.

̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions

Dr. Sunita Bharatwal** Dr. Pawan Garga*** Abstract Customer satisfaction is derived from thè functionalities and values, a product or Service can provide. The current study aims to segregate thè dimensions of ordine Service quality and gather insights on its impact on web shopping. The trends of purchases have

Chính Văn.- Còn đức Thế tôn thì tuệ giác cực kỳ trong sạch 8: hiện hành bất nhị 9, đạt đến vô tướng 10, đứng vào chỗ đứng của các đức Thế tôn 11, thể hiện tính bình đẳng của các Ngài, đến chỗ không còn chướng ngại 12, giáo pháp không thể khuynh đảo, tâm thức không bị cản trở, cái được

Le genou de Lucy. Odile Jacob. 1999. Coppens Y. Pré-textes. L’homme préhistorique en morceaux. Eds Odile Jacob. 2011. Costentin J., Delaveau P. Café, thé, chocolat, les bons effets sur le cerveau et pour le corps. Editions Odile Jacob. 2010. Crawford M., Marsh D. The driving force : food in human evolution and the future.

Le genou de Lucy. Odile Jacob. 1999. Coppens Y. Pré-textes. L’homme préhistorique en morceaux. Eds Odile Jacob. 2011. Costentin J., Delaveau P. Café, thé, chocolat, les bons effets sur le cerveau et pour le corps. Editions Odile Jacob. 2010. 3 Crawford M., Marsh D. The driving force : food in human evolution and the future.