This is a “public service announcement” for all of you (unpaid) home IT consultants who (like me) are charged with ensuring our families’ networks and devices are properly secured.
Just as with companies who think they are too small to be hacked, there are plenty of residential users who assume (incorrectly) that they are too uninteresting to be infiltrated.
So don’t be one of them yourself.
After all, good cybersecurity fences make for good neighbors.
Article by John Shier in Naked Security.
Emphasis in red added by me.
Brian Wood, VP Marketing
Security begins at home – how to do a “back to basics” security overhaul on your family network
My last post about two-factor authentication (2FA) got me thinking about another post for National Cyber Security Awareness Month (NCSAM).
While the last one dealt mostly with the ‘S’ in NCSAM, this one will also bring in a good measure of ‘A’.
My wife recently went back to work after spending a considerable amount of time away to look after our children.
With her work and home IT needs now converging on our family network, this got me thinking about security in a whole new way.
For over a decade now I’ve been responsible for maintaining security resources and advising Sophos customers and partners about security best practices.
I also do a fair bit of public speaking for Sophos on emerging threats and protection strategies and am always in contact with IT professionals and end users.
What I haven’t done so well is make sure that those closest to me get the same benefit from my experience.
While I practice what I preach, it occurred to me that my family doesn’t get the equivalent level of attention.
The old adage about the cobbler’s kids came surging to mind.
So here’s a checklist of what I did.
The first step was to get a laptop and configure it with all the necessary tools.
My wife works for a company that provides online services and is fortunate to work from home most of the time.
It also means that she spends a considerable amount of time online and handling potentially sensitive information.
The company is a small start-up, so she is mostly on her own when it comes to providing and securing these tools.
Since she is comfortable with computers, but by no means an expert, I went with the sensible option of Windows 7 Ultimate with Microsoft Office and Chrome.
Note: This isn’t an endorsement for the security, usability or performance of Chrome over any other browser. It was simply the browser she was most accustomed to and I didn’t want to change too many things all at once.
This combination makes my job much easier when it comes to off-the-shelf hardware, general availability of tools, patching and compatibility of software.
And of course, I also made sure that the laptop was running up-to-date anti-virus software.
With all the software installed, it was time to think about disk encryption.
I chose BitLocker because it gives me full disk encryption built into the operating system.
(Linux and Mac users have similar built-in options in the form of cryptsetup and FileVault2.)
If you plan on having any sensitive information on a portable device, I highly recommend that you encrypt it.
File storage and sharing
Next we looked at ways to securely share and store files in the cloud.
I’ve been using ownCloud for some time so I created an account on my server for my wife.
The benefit of ownCloud is that it allows me to control how and where the files are stored.
It also serves as a handy way to back up her files automatically by using the sync client, and works equally well on a smartphone.
If you prefer to use some of the available free cloud services for file storage and portability, make sure you understand how it’s all secured and consider adding your own layer of encryption as well.
Then came the end-user training.
This is where we talked about the benefits of complex passwords and using different passwords for every site you interact with.
Like many users, my wife at first balked at the concept of different (and complex) passwords for every site.
However, she’s been using a password manager, in her case, LastPass, for some time, so choosing new and secure passwords was easy.
The password manager also made adding two-factor authentication relatively painless.
Securing the network
Let’s not forget about the network.
At home, we use the free Sophos UTM Home Edition which looks after our firewall needs as well as providing web and email filtering, intrusion prevention and a VPN (virtual private network) for secure remote access.
Since we’re talking networks, I should mention that our home wireless network is also set up with security in mind.
I have nearly 20 devices that require connectivity, and although I still use wired Ethernet for some devices, for others, Wi-Fi is my only choice.
With that in mind I selected WPA2 Personal for my security mode with a 20 character passphrase.
Sure, it’s long and complex but I only had to enter it once on each device – the device are good at remembering it so I don’t have to.
I also encrypted my wife’s smartphone too, and ensured she had better than a four-digit passcode to unlock it.
After all, she receives work and personal email on this device.
While I was at it, I installed the Google Authenticator app so we could add two-factor authentication to all of her social media sites – especially Facebook and Twitter, which she uses both for work and for play.
Was it worth the trouble?
This was an interesting exercise, and well worth the time I spent on it.
My wife will undoubtedly be safer and more secure online; her employer’s data will be safer, too, thus spreading the benefits well beyond our own network.
It also provided me with a good checklist to go out and evaluate the security posture of my friends and family .
After all, if I’m going to provide them with technical support, I might as well make sure they’re standing on a good foundation.
Now, time to go explain elliptic curve cryptography to the kids!