Considering that one of the National Security Agency’s (NSA) primary missions is to conduct electronic espionage, it stands to reason that it knows a thing or two about network security.
As it turns out, the NSA’s Information Assurance Directorate (IAD) publishes a technical guide called Best Practices for Securing a Home Network. Don’t let the name fool you, however — much of the information it contains is equally applicable to small business networks as well as home ones.
Some of the NSA’s security recommendations seem like common sense, but many are also commonly ignored. Read on for 10 of the NSA’s tips; how many do you comply with?
1. Upgrade Your Operating System: Make it 64-bit
Many businesses use an “if it ain’t broke, don’t fix it” philosophy to justify the continued use of Windows XP. But when it comes to security, XP is broke, and the fact that you can still get updates for it — provided you have Service Pack 3 — doesn’t really fix this long-in-the-tooth operating system from a security standpoint.
Remember that XP is now over a decade old — August 24th, 2011 marked its 10-year anniversary — so a move to Windows 7 is long overdue. (When upgrading to Windows 7, be sure to opt for the 64-bit rather than the 32-bit version, as the former is harder for the bad guys to compromise.)
2. Minimize the Use of Administrator Accounts
By default (not to mention necessity) the first account you set up on a Windows PC has system administrator rights, even if the account’s not necessarily named “Administrator.” Unfortunately, people frequently go on to use this default account for their daily computing activities, which leaves them especially vulnerable to the myriad threats one invariably encounters while browsing the Web and accessing email. (Malware depends on administrator access, after all.)
The remedy: create a standard user account for your workaday computer use, and save the administrator account for when it’s really needed — for things such as installing hardware, software, or making system-wide configuration changes. Remember that while logged in with a standard account, you can right-click any program icon and choose the Run as administrator option when needed.
3. Use Full Disk Encryption (FDE) on Laptops
Laptops are easily lost or stolen and when that happens, standard password protection may not be enough to keep a determined thief from gaining access to your sensitive data. Full Disk Encryption (FDE), on the other hand, gives you an added layer of protection by securing not just specific files or folders but the entire contents of the computer, including the operating system.
Windows 7 offers built-in full disk encryption as part of its BitLocker feature, though it’s only available in the Enterprise and Ultimate editions. (You can upgrade a lesser version of Windows 7 to Ultimate via the Windows Anytime Upgrade.) Otherwise, there are a number of third-party full disk encryption products available, including Jetico’s BestCrypt and the free, open-source TrueCrypt.
4. Ditch Office 2003
Microsoft Office is a small business staple, but if you’re still using Office 2003 (and plenty of offices are), take heed, because Office 2003 documents use a binary file format that can execute potentially malicious code when you open them. The XML file formats used by the newer Office 2007 and 2010 versions, on the other hand, greatly reduce this problem, and Office 2010 includes a Protected View that opens potentially risky files — such as email attachments and files downloaded from the Internet– in a read-only mode.
5. Keep Your Programs Up-to-Date
Be sure to update your third-party programs when prompted to, and if programs don’t remind you, manually check for updates from time to time. True, these updates often include new features you may or may not care about, but they often deliver critical security patches behind the scenes as well. For a helping hand, check out Secunia Personal Software Inspector (PSI), which scans the programs installed on your Windows system and lets you know which ones need security updates (plus provide download links).
6. Use Your Own Router/Wireless Access Point
These days, many ISPs provide cable/DSL modems with built-in router, Ethernet switch, and Wi-Fi access point. These all-in-one devices may be convenient, but they can leave the security of your network in the hands of your ISP rather than yours. (Many ISPs limit your ability to update firmware or view or change configuration options on hardware they provide.)
Rather than running your network on a device that you don’t own or fully control, supply your own router/wireless access point and disable those functions on your ISP’s equipment.
7. Use WPA2
You probably already know that securing your Wi-Fi network with WEP encryption is barely better than none at all. But even the vastly superior WPA is surprisingly vulnerable to intrusion, particularly when short and/or dictionary-based passphrases are used.
To maximize the security on your wireless network, stick with WPA2; it uses AES encryption, which is far stronger than the TKIP (Temporal Key Integrity Protocol) method commonly used by WPA. Be aware of two caveats, though: first, some non-PC Wi-Fi devices may not support WPA2 (firmware updates may address this). Also, WPA2 consumes more computational power than WPA, so it could degrade the speed of your wireless network when used with older access points and/or PCs.
8. Use an Alternate DNS Provider
Many small business networks rely on their ISPs for DNS (Domain Name System) service, which lets you access websites and other Internet resources with friendly names like www.smallbusinesscomputing.com rather than obscure, numbers-only IP addresses. Switching to a third-party DNS service such as OpenDNS tends to provide faster browsing performance, and it enhances security by blocking access to sites that may be infected with malware. (Note: GFI Software recently discontinued its ClearCloud DNS service, and Google’s Public DNS service doesn’t currently offer any malware protection.)
9. Disable Remote Administration
Virtually all routers have a remote administration feature that lets you log in to view or modify network settings from the Internet. To minimize the risk of an unauthorized outsider gaining access to your network, you should disable remote administration so administrative chores can only be performed from inside the network.
10. Use Strong Passwords
You’ve undoubtedly heard this one before, but are you actually doing it? All network devices, from routers to NAS drives to printers, etc. should be configured with strong passwords. That means at least eight characters, with mixed case letters, numbers and/or symbols, and no proper names or dictionary words.
For more of the NSA’s security recommendations, download a full copy of the guide (PDF link).
Joseph Moran is a veteran technology writer and co-author of Getting StartED with Windows 7, from Friends of ED.
| Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today! |
