1· Use strong random passwords and a password
manager such as Last pass.
2· Use open source firmware on your router such as
DD-WRT or Tomato.
3· Use sand-boxing technology such as SandboxIE.
4· Use full disk encryption where available.
5· Never use an ISP’s E-Mail or DNS Server.
6· If you must use an ISP provided device to
connect to the internet, place it in bridged mode, and disable wireless.
7· Disable WPS on your wireless router.
8· Use WPA2/AES (Not TKIP) on your wireless router.
9· Add _OPTOUT_NOMAP to the end of your wireless
10· Install a content blocker on all devices such as
U-block Origin, 1blockr, or Ad blocker Plus
11· Update everything often.
12· Do not use free antivirus services, and to a
lesser extent paid antivirus services.
Below is explanations for each step.
1) Brute force password cracking is nothing new, however think about it from an attackers perspective. What is the most efficient way to brute force a password? It is not by starting at aaa and going through every iteration of random passwords. That is reserved as a last ditch effort. The best way is to use dictionary's in conjunction with other pieces of known information. Information like your mothers maiden name, or your dogs name, or any other piece of un-encrypted information an attacker can get out of you in conjunction with large dictionary's that combine words with symbol references (think P@$$w0RD instead of password) so make sure your passwords are random.
Another method an attacker can use is to use a password from something else. Password databases are being released all the time. When an attacker breaks into adobe's systems and releases usernames and passwords in a large file on the internet, the first thing that people do is try those usernames and passwords on Facebook, Google, and any other site where the information might be the same. Dont reuse passwords.
So if you cant reuse passwords, and each password needs to be long and random, how are you going to remember the passwords for any given site? the answer is to use a password manager. Yes there is a vulnerability there in that you are trusting something to hold the keys to everything you do online, but when you consider the trade-off, your security posture is improved significantly by using one. I personally recommenced Last-Pass. With Lastpass, you need only to remember your master password, and if you choose to do so, you can also enable a 2nd factor to log in. Your database is stored encrypted on the Lastpass servers and your master password is stored with PBKDF2 with at least 5000 iterations locally and then another 100,000 server-side. If you do not like the idea of a third party holding on to your encrypted blob, you can use Keypass. you loose some features and it might be difficult to log into anything if you go outside your normal circles, but that is the trade-off you make for ease of use.
2) There are several examples of why the manufacture of a router does not have your best interests at heart. In recent months it was discovered that several wireless routers that came with some canadian ISP all had a default WPS pin of 12345670 and when you logged into the router to disable WPS, the firmware said it was disabled, but it was still operational. Linksys had a similar issue a few years ago with the disable button not working. Comcast wireless routers have a built in guest network that allows anyone with a Comcast account to use your internet connection to surf the web, and I am sure if i think hard enough I can come up with many other examples of bad decisions from router manufactures. The point is, don't put your self in a position to rely on their updates, or thier security. By using open source firmware you can not only take better control over your own network, but you can also rely on people who have a vested interest in ensuring that the firmware stays secure. I use the Asus RT-AC66U and it works great for what I need it to do.
3) This particular tip is mainly for windows users. SandboxIE is an app that places your browser or any other app in a sandbox. If you run your browser sandboxed, and you happen upon a maliciously coded site that is able to leverage a vulnerability to install a persistent back door on your machine, then when you close the sandbox. the hole is gone. SandboxIE works by copying whatever is requested into the sandbox so that the internal program thinks it is modifying your system, when in fact it is only modifying a copy. If you are going to install some trial software or something you just want to mess around with, it is best to do it in a sandbox. that way when you uninstall it you can just delete the sandbox and it was like the software was never on your system in the first place. you don't have to worry about messy uninstallers or what is left over on your system, it is all gone.
SandboxIE is not protect your privacy. if you are using an app in a sandbox that is trying to suck in your data, SandboxIE will gladly comply by copying that data into the sandbox, It only helps to remove a persistent threat. Other options are available for more secure browsing such as using an alternate bootable OS such as Ubuntu or Mint. Or installing them within a virtual machine using something like oracle's VirtualBox. While SandboxIE is a windows solution, the others are cross platform.
4) Full disk encryption protects your computer when it is off. While this may be a bit over the top for most people, keep in mind the method or methods in witch you log into your device. If it is a password, you cannot be compelled by the authorities to reveal your password due to protections from the 5th amendment, however you can be compelled to provide your finger if you are using a fingerprint to authenticate. examples of this use case are newer android and iPhone devices. either way check with your local laws if you are outside the US to determine what the best method is to ensure your privacy.
5) ISPs like to do weird things sometimes. and they are prone to do dns filtering or other maham based on DNS services, its best to just go outside of their control and use open DNS servers. 22.214.171.124 is a google server and 126.96.36.199 is a verisign DNS server. there is also a windows application on GRC.com called DNS Benchmark that I like to use that will test thousands of DNS servers to show you witch ones have the fastest response time. its best to change this on your wireless router so that all of the devices connected to your network gain this benefit instead of doing it on a per-machine basis.
6) Ok, this one is kind of tricky because it depends on how your ISPs equipment is set up. If you plug a device into your ISPs equipment and your ip address does not start with 10 or 172.16-172.31 or 192.168. then you can ignore the bridged mode issue. If it does start with one of those you still might not have to deal with it, just plug your router in and see if it works. Sometimes, depending on the equipment having a NAT router behind another NAT router can cause connectivity issues. By not using your providers equipment, you once again reduce the number of people who have any sort of say in your home security.
7) WPS is broken. It is vulnerable to attack and you don't want it on at all. Specificaly the static 8 digit pin method of WPS is broken. so if you use a router that does not make use of that method of connecting such as Apples Airport routers, then you can keep it on, (I still wouldn't). ISPs are known to have simple pins that attackers can easily figure out, and even it that was not the case, the 8 digit pin is easy to brute force since it is actual broken down into 2 separate 4 digit pins where the 8th digit is a simple check-sum.
8) as a home user, WPA2/AES is the most secure method of establishing a wireless network. while TKIP is not entirely vulnerable, it is also not entirely secure. If you are a corporate entity, you might want to consider using a RADIUS server to manage your wifi (Hotels and curseships I am looking at you)
9) Adding _OPTOUT_NOMAP to the end of your SSID does two things. First _OPTOUT is for windows 10 computers. Windows 10 allows for people to share their passwords on social media so that your friends do not have to type a password in when they come over to your house. While this option must be enabled on your computer, there is nothing preventing any of those "friends" from enabling that feature on their computers sharing your password. adding _OPTOUT tells windows 10 that the password for this network should never be shared across social media.
_NOMAP is for those google cars. AGPS uses signals from all over the place to refine your GPS location. Google maps uses Wi-Fi locations to help fix people to a more exact spot. adding _NOMAP tells google that you do not want your wireless router used to aid google GPS devices. There is very little in terms of security that this does for you, its just a personal preference.
10) I feel that this should have been higher on the list. Malvertising is a thing. it does not matter if you to go a benign website, if they serve adds, you might still be exploited. Of course this is part of a bigger discussion of how a free internet is funded. Websites use advertising as income so some would say that ad blocking is akin to stealing. the way I see it, Protecting yourself from malicious actors trumps that notion and eventually the industry will catch up and find other, safer, ways to advertise.
11) Despite many of previous examples, most company have a active role in ensuring that their software stays as secure as possible, that being said you can only keep up with them if you update your software. Update early, update often. note that update does not necessarily mean upgrade. It is often called the bleeding edge for a reason.
12) AV software is very reactive these days. when everything is a 0-day it is difficult for AV software to have a useful existence. If you do use one, remember to only use it for detection. If your computer finds a virus, you have not way of knowing if it is completely removed, or if there are still active parts of the virus that are simply not known to the AVs definitions. just be safe and reformat your device. hopefully you have a backup plan of some sort in order to restore your data.
There are many other ways to secure your home systems, this was just a small list of things you can do to reduce your attack surface. When thinking of cyber security remember that there is no way of keeping 100% of attackers out, you just want to make it more costly to attack you then its worth.