Security Beacon – Security Check List – Updated May 30, 2014

Below is a list of tips that can help small businesses and home users improve security and privacy.

General Computer Tips

  • Hardware Check
    • Minimum 512 MB RAM, 1 GB or more recommended
    • Adequate disk space for intended applications
  • Software Check
  • Encrypt all hard drives
    • Full Disk Encryption (FDE) is recommended, home directory encryption is ok but not nearly as secure as FDE.
    • Verify that swap or hibernate files are on an encrypted disk partition
    • Disable suspend mode power saving, use hibernate instead
    • Recommended FDE systems include Bitlocker for Windows, FileVault for Apple OS-X, dm-crypt/luks for Linux with 256-bit AES type algorithm.
    • We no longer recommend TrueCrypt.  If you are already using TrueCrypt we recommend you migrate to an alternative solution.
    • Backup all data before attempting to install FDE software!
    • Once you’ve verified that FDE is working properly, go back and encrypt all of your backup media.
    • Use hardware encrypted hard drives as an alternative to software FDE solutions.
  • Adopt and use a password manager (e.g. KeePass)
    • Always use strong passwords
    • Do NOT reuse passwords
    • Periodically change passwords; especially on important accounts such as banking, e-mail, etc.
    • Go back and change old accounts to use strong passwords
    • Turn on or enable account passwords
    • Set screen saver to use password lock
    • On Linux or Unix disable root account and use sudo instead
    • Disable guest accounts
  • Adopt and use backup software
    • Configure software for daily incremental backups and weekly full backups of all user files. OS and program files are optional depending on your needs and confidence in rebuilding OS disk
    • Verify that all backup media is encrypted or that encryption is enabled in backup software
    • Store at least one full backup off-site or in the cloud each month.
    • Make backup copies of important software such as OS install CD’s, startup and recovery disks, key hardware drivers, etc. and write down corresponding installation keys. KeePass is a nice tool for storing this kind of information.
    • Clone your disks before making any important hardware or software updates. This will minimize down time if something goes wrong.
  • Power and Surge protection
    • Purchase and use a UPS (Uninterruptable Power Supply)
    • Follow this guide on properly connecting devices to the Battery Backup and Surge only outlets
    • Configure OS or bundled software to automatically hibernate or shutdown on power failure
    • Filter phone and ethernet accordingly
  • Setup email encryption
    • S/MIME recommended first choice
    • PGP second for compatibility and best privacy
    • Use DropBox or similar file sharing service instead of attachments
    • If you find S/MIME or PGP too much hassle then use a web based secure e-mail solution such as Voltage or other easy to use encrypted e-mail services listed here.
  • Install and use anti-virus/anti-spam software
    • We recommend light weight anti-virus solutions to avoid system slowdowns. (Microsoft Security Essentials is free and does not put a heavily load most systems. ClamAV is also free and works on Windows, Mac and Linux/Unix)
    • Make sure virus definitions are current.
    • Set to software to automatic mode
    • Periodically perform a full system scan
    • Realize that NO anti-virus software can protect you from all of the current and emerging threats. If you notice unusual behavior from your machine you are well advised to disconnect it from any network and isolate it from other computers until you have determined the cause of the problem.

Network Issues

  • Wired Networking
    • Enable software firewall on all computers
    • Check and understand all firewall exceptions
    • Verify that NAT (Network Address Translation) is enabled on home or office router
    • Configure a strong admin password on the router
    • Test firewall using port scanner such as ShieldsUp from Gibson Research
    • Consider using a security appliance between your router and the rest of your network to block additional threats.
    • Consider adding redundant Internet connections to improve speed and reliability of your network.
    • You cannot be hacked if your computer is disconnected from the network. Consider turning off or disconnecting computers at night or whenever you aren’t using them.
    • Have a separate networks for home and office functions. You don’t want your kids or guests to have access to business files nor do you want Netflix and gaming traffic slowing or interfering with your business connections.
  • Wireless Networking (WiFi) Networking
    • Enable WPA-PSK or better security on router. If WPA or WPA2 is not available replace router with newer model that does.
    • DO NOT USE WEP! It is not secure!
    • Turn off SSID broadcasts.
    • Make sure your router firmware is up to date.
    • Disable WPS and confirm that router is not vulnerable to reaver hack.
    • Use strong passwords and change them every 3 to 6 months
    • Enable MAC filtering as extra security measure
    • Consider purchasing an additional router or a router with multiple SSID’s to separate home and office wireless networks.
    • If you are in an area with a lot of 2.4 GHz WiFi signals consider purchasing a dual band (2.5 GHz and 5 GHz) router to reduce interference and improve throughput.
    • Always avoid connecting to untrusted and unsecured networks
    • When connecting to an unknown network verify that the firewall is enabled and all ports are closed and then Test the firewall immediately upon connection to the network
    • If you are not using WiFi be sure to disable it in the router.

Laptop / Netbook Computer Specific Issues

  • All of the above notes plus…
  • Consider installing LOJACK remote wipe software.
  • Alternatively download and install free Prey software. Note that with properly implemented Full Disk Encryption (FDE) Prey will never report back since it is impossible for a thief to start the OS. Your chances of recovering the hardware are therefore reduced. Your data however will be much more secure. As a general rule we recommend FDE as a more secure option. )

Removable Media

  • Encrypt all external Hard Disks, USB Flash drives, etc. using software such as True Crypt.
  • If you are in a regulated industry governed by laws such as HIPPA be sure to use devices with approved encryption algorithms (e.g. FIPS 140-2 validated).  See here for discussion.
  • Recommend hardware based encryption for USB flash drives
  • Perform virus scan on all removable media after connections to untrusted computers

Email/Online

  • Use SSL or TLS encryption for your POP, IMAP and SMTP connections
  • If you have G-Mail, implement 2 factor authentication
  • Set all line accounts to use HTTPS (Often set within account profile)
  • Get setup with one or more forms of encrypted e-mail.
  • Use Voltage SecureCloud to send secured e-mail to anyone.
  • If you are using Thunderbird be sure to set preferences to automatically compress files. If you don’t do this there is a chance your files can become very large and corrupted causing you to lose data.

Social Media – including Facebook, LinkedIn, Twitter, etc.

  • Regularly review all of your Facebook Security & Privacy Settings. Note that settings are constantly changing and evolving so you cannot just sent them once and forget about them!
  • Avoid any and all “Apps” unless you know they can be trusted. How do you know which ones to trust? Do some web research and make an informed decision based on your risk tolerance.
  • Immediately “unfriend” anyone whose account has been compromised. Hacked accounts are often obvious due to a sudden increase of spam posts for things like “blue pills”, “wonder bras”, and sweep stakes notices.
  • Your privacy (or lack thereof) depends on whether your friends are smart enough to properly manage their computers and privacy settings. If you don’t think they are up to the task you may want to “unfriend” them and find another way to stay in touch.
  • Realize that anything you put on Facebook has a very high probability of eventually being made available to the entire world! You should therefore refrain from posting any photos or information that you wouldn’t want to see in the news paper or to be used against you in court or during a job interview. THINK BEFORE YOU POST!!!
  • Disable location based services on your smart phone that embed GPS data into metadata of photos. Be sure to strip GPS data you post photos on social networking sites.
  • Read the post on Why I Dumped Facebook and consider if you really need this form of social media in your life.
  • LinkedIn is also vulnerable too.

Cell Phone/PDA

Cordless Phones & Baby Monitors

  • Turn off baby monitors when not in use.
  • Retire old cordless phones that do not use Digital Spread Spectrum (DSS)

Credit Cards/Passports/ID

  • Use protective sleeves to prevent RFID scanning
  • Buy and use a cross-cut shredder to destroy financial documents before disposing of them in the trash.
  • Buy a locking mailbox to help prevent mail theft.
  • Use https://www.annualcreditreport.com to get a free yearly credit report.