Simple Security: The Basics


Almost every day we heard about a new breach, a new piece of Malware, or a new threat.

Computer security is more than a job for me, it's a hobby. I wanted to take a moment to provide some simple unobtrusive security measures to help harden your Windows computer. While I will mention Antivirus, and patching up front the guide will cover more than just that.

Antivirus: Let's face it. This is a given in today's day and age. It's become such a necessity that Microsoft is giving it out for free with every version of Windows 8 and up pre-installed, and optional download for all the rest. While Windows Defender is a great tool it, like everything else, has a host of vulnerabilities.

Recommendation: McAfee for this price Bitdefender for its security.

McAfee is a widely hated company, especially after it scored a 47% on virus detection ratings but the DoD offers a complete McAfee security suite to its members for free. This suite provides things like, email attachments scans, secure deletion, firewall, IDS/IPS, and root file protection. McAfee is a very aggressive Antivirus and sometimes prevents legitimate "questionable" programs like VPNs from installing the drivers necessary for their operations.

Bitdefender on the other hand is one of the highest rated Antivirus companies, but you have to pay for that protection.

Stay away from: Kaspersky and Panda.

Patching: Do it. Do it regularly. Do it for every program. New exploits are developed every day and the most popular applications are often the most targeted. It can be difficult to maintain the newest version of programs that don't see regular use but there's tools for that.

Recommendation: Secunia PSI. This free personal use application monitors thousands of applications and will attempt auto update them if a new version comes out.

Two important notes about Secunia:

1st. It's for personal use only. They offer a business version as well but it costs. And while you could just download the personal version on all of your business computers you'd be violating the Terms of Service and therefore be liable for legal action.

2nd. Secunia can accidentally break programs. Occasionally Secunia will want to update the core program a different program runs on, so pay attention to what it wants to update. I have Private Internet Access (PIA) VPN installed, it's built on Ruby. Secunia updated Ruby and broke PIA. This is a minor inconvenience and can usually be fixed by simply using Windows control panel to repair the program.


DNS security: in Cisco's 2016 security study the Talos Security team (Cisco) announced that over 50% of Malware uses DNS to create covert channels and over 70% of companies don't monitor their DNS records. Now I'm not telling you to start monitoring your DNS records, although that's a good idea. Monitoring DNS is easy, understanding what you're monitoring is a good different challenge.

Recommendation: Spybot Search and Destroy, and Cisco OpenDNS.

Spybot Search and Destroy is an average Antivirus program. With some useful premium tools; however, the reason it's on this guide is for its free immunization tool. The immunization will modify your DNS Host file to prevent you from going to roughly 40,000 malicious domains. This will ideally block automatic connection Malware droppers make to when they attempt to download the malicious payload. The only downside is that this doesn't auto update so you'll need to regularly go in and immunize against new threats.

Cisco's OpenDNS is owned and managed by Cisco's Talos Security team. It actively monitors DNS domains and blocks suspected malicious activity. If you have an account it's also very customizable, you can block things like adult websites, monitor your DNS records, and get reports of network activity. It's also free, it's just a bit more complicated to set up. The ideal way to do it would be to log into your router and modify the DHCP settings to issue Cisco's OpenDNS as it's DNS server; however, if you're still using the router that your ISP provides you probably won't be able to do this as ISPs often want you to use their servers. If that's the case the only option you have is to manually go to each computer in your house and set it individually. There's a pretty good guide here: http://208.69.38.205 that details exactly how to do that.

I also run an open resolver that uses Cisco's OpenDNS as the backend but doesn't have any logging and does encrypted DNS. I can provide the IP address for that to anyone who wants; however, I use this resolver for my family do it has specific things blocked, like Adult Websites, Gambling, etc.

AdBlock: Depending on who you talk to this is either a big Do or a big Don't. From a security standpoint, this is a big Do. Websites rely on ads, it’s how they get paid. Blocking those ads means the website doesn't get paid for your visit. That's not to say that your visit doesn't help the site still. It modifies its Alexa rankings, helps to optimize search engines to find it, and counts for statistics that increase the amount ad providers are willing to pay a website.

Ads can create security issues. Malvertising is what it's called, and sometimes ads contain malicious JavaScript that runs when the ad loads and forcibly redirects your computer to a malicious website. Unfortunately, this isn't limited to shady websites or low budget ad providers. This has affected major ad hosts like DoubleClick (Google) and Facebook, and has been seen on websites like YouTube, Facebook, Twitter, and Spotify.

Recommendations: UBlock Origin, Pihole.

Ublock origin is a browser based AdBlock. Unlike AdBlock plus Ublock origin doesn't have "smart ads" or ads they were paid not to block. It's a simple 2 buttons install. Just Google it and pick your browser.

Pihole is a bit of a different type of AdBlock. It uses DNS to block ads. Pihole auto updates based of lists in its configuration file. When your computer goes to a website pihole will check its DNS requests. If the DNS request is to ad host then that request is fed a loopback and thus "blocks" the ad. Pihole also works network wide, so it blocks ads on your smartphone the same way it blocks ads on your computer. No more ads on mobile browsing! Pihole does have a small initial startup cost. While the actual program is free you do need a Linux computer to run the program. My personal recommendation is a Raspberry Pi 3 ($35). It's cheap enough and powerful enough to run pihole and thankfully the development team for pihole installation as simple as running a single command. Once pihole is set up you simply tell your router or computer to use the pihole as its DNS and your set. Pihole can also be set to use Cisco's OpenDNS as a backend. The open resolver I run (mentioned above) is actually a pihole in the cloud.

PowerShell: PowerShell is Window's new, very powerful, command line interface. Some sources say that Microsoft is going to completely remove the basic Command Line and only provide PowerShell in the future. PowerShell is very powerful, it's also a new upcoming threat for Windows. Fileless Malware refers to Malware that runs scripts in either PowerShell or Command Line, but usually PowerShell.

Recommendation: Block scripts, or require signatures. These are simple fixes that aren't standard. The default for PowerShell scripts is to allow all, but one line of code can help significantly secure PowerShell.

"Set-ExecutionPolicy Restricted" will prevent any script from running in PowerShell. All commands will have to be done individually.

"Set-ExecutionPolicy AllSigned" means any script must be signed by a valid trusted certificate authority.

Both of these commands can significantly help limit the threat from Fileless Malware.

Backups: Extra, Extra read all about it! Ransomware compromises hundreds of thousands of computers across the world including the Nation Health Service of Europe. Users have to pay hundreds to potentially thousands of dollars to get their files back. Ransomware is here to stay, that's the sad fact, but there are ways to prepare for it. Backups of your computer will allow you to quickly recover from a Ransomware compromise without losing your personal files. Not all backups are created equal. Despite what Hard Drive makers will tell you a HDD isn't a backup, it's a copy. If your "backup" HDD is connected to the computer when the Ransomware hits that HDD is as good as worthless as it'll get encrypted to and your "Backups" will be just as unusable as the original files. Sure, you could plug it in, backup, then immediately unplug it to but that's a hassle.

Recommendation: Code42 Crash Plan.

This $6.50/month service provides a cloud backup of all your files. Unlimited storage, means 1TB or 10 you can back it all up. Versioning backups allows you to restore a prior version of a file of you want, like a Word document that you are constantly working on. Zero knowledge allows you to encrypt the file on your computer before it ever reaches the backup servers. You can have all the computers in your house back up to one computer and then have that computer back up to the cloud. And finally, it works on Linux as well. I recently had a HDD failure and lost all my wife's photos of our kids. A few hours later I had redownloaded all 80GBs of pictures from Crashplan.


That's all of my simple security tips.  If time permits I'm planning on doing a more advanced security guide. Any feedback is appreciated.

Comments

  1. seravina danniellaTuesday, 13 February, 2018

    Thank you for sharing this article, it is very easy to understand and informative. Excellent!

    Mobile App Developer

    ReplyDelete

Post a Comment

Popular posts from this blog

Cypherpunk: A VPN review

Image
Those of you who know me know that I am a major advocate of VPNs. I think they're great security tools for keeping your public IP address less public. They're similar to a PO box in the sense that you give out that address instead of your actual home address, ideally making it less likely someone unwanted will show up at your front door. VPNs have many practical security applications. First and foremost they protect your information from prying eyes when you're using public Wi-Fi, but a lot of them also provide added features like DNS adblocking, Malware domain blocking, and IPv6 prevention. For this review, I'll be comparing the Cypherpunk to an industry standard Private Internet Access (PIA).  Right off the bat, you can see that Cypherpunk is very stylized. It certainly goes for the look of cyber. It's a simple button press to activate the VPN. Then you get this stylized graphic showing ciphertext moving across the screen. There are 35 ser
Read more

Fingbox Review: Simply not worth it.

Image
I'd like to open an honest public discourse on the Fingbox. First off I'd like to say that this isn't meant to be an attack on the product or the company. I actually really like the Fingbox but the marketing advertises a Corvette when the product is more of a Honda. I've been doing Network security and Forensics for a little over 7 years so the idea of a device like the Fingbox excited me; however, after having a Fingbox for a little while I'm ultimately disappointed. The bottom line up front: spend your $150 on an Asus RT-86U instead. You'll get 99% of the features and a powerful router with a Network intrusion prevention system built in. Devices Tab I'm going to go in order of the app when discussion its features. So up first is the network scan. I actually really like this scan and subsequent list in the app. It's clean, it's easy to read and search. Clicking on devices allows you to see some basic information about
Read more