Considering that one of the National Security Agency’s (NSA) primary missions is to conduct electronic espionage, it stands to reason that it knows a thing or two about network security.
As it turns out, the NSA’s Information Assurance Directorate (IAD) publishes a technical guide called Best Practices for Securing a Home Network. Don’t let the name fool you, however — much of the information it contains is equally applicable to small business networks as well as home ones.
Some of the NSA’s security recommendations seem like common sense, but many are also commonly ignored. Read on for 10 of the NSA’s tips; how many do you comply with?
You’ve undoubtedly heard this one before, but are you actually doing it? All network devices, from routers to NAS drives to printers, etc. should be configured with strong passwords. That means at least eight characters, with mixed case letters, numbers and/or symbols, and no proper names or dictionary words.
Virtually all routers have a remote administration feature that lets you log in to view or modify network settings from the Internet. To minimize the risk of an unauthorized outsider gaining access to your network, you should disable remote administration so administrative chores can only be performed from inside the network.
Many small business networks rely on their ISPs for DNS (Domain Name System) service, which lets you access websites and other Internet resources with friendly names like www.smallbusinesscomputing.com rather than obscure, numbers-only IP addresses. Switching to a third-party DNS service such as OpenDNS tends to provide faster browsing performance, and it enhances security by blocking access to sites that may be infected with malware. (Note: GFI Software recently discontinued its ClearCloud DNS service, and Google’s Public DNS service doesn’t currently offer any malware protection.)
You probably already know that securing your Wi-Fi network with WEP encryption is barely better than none at all. But even the vastly superior WPA is surprisingly vulnerable to intrusion, particularly when short and/or dictionary-based passphrases are used.
To maximize the security on your wireless network, stick with WPA2; it uses AES encryption, which is far stronger than the TKIP (Temporal Key Integrity Protocol) method commonly used by WPA. Be aware of two caveats, though: first, some non-PC Wi-Fi devices may not support WPA2 (firmware updates may address this). Also, WPA2 consumes more computational power than WPA, so it could degrade the speed of your wireless network when used with older access points and/or PCs.
These days, many ISPs provide cable/DSL modems with built-in router, Ethernet switch, and Wi-Fi access point. These all-in-one devices may be convenient, but they can leave the security of your network in the hands of your ISP rather than yours. (Many ISPs limit your ability to update firmware or view or change configuration options on hardware they provide.)
Rather than running your network on a device that you don’t own or fully control, supply your own router/wireless access point and disable those functions on your ISP’s equipment.
Be sure to update your third-party programs when prompted to, and if programs don’t remind you, manually check for updates from time to time. True, these updates often include new features you may or may not care about, but they often deliver critical security patches behind the scenes as well. For a helping hand, check out Secunia Personal Software Inspector (PSI), which scans the programs installed on your Windows system and lets you know which ones need security updates (plus provide download links).
Microsoft Office is a small business staple, but if you’re still using Office 2003 (and plenty of offices are), take heed, because Office 2003 documents use a binary file format that can execute potentially malicious code when you open them. The XML file formats used by the newer Office 2007 and 2010 versions, on the other hand, greatly reduce this problem, and Office 2010 includes a Protected View that opens potentially risky files — such as email attachments and files downloaded from the Internet– in a read-only mode.
Laptops are easily lost or stolen and when that happens, standard password protection may not be enough to keep a determined thief from gaining access to your sensitive data. Full Disk Encryption (FDE), on the other hand, gives you an added layer of protection by securing not just specific files or folders but the entire contents of the computer, including the operating system.
Windows 7 offers built-in full disk encryption as part of its BitLocker feature, though it’s only available in the Enterprise and Ultimate editions. (You can upgrade a lesser version of Windows 7 to Ultimate via the Windows Anytime Upgrade.) Otherwise, there are a number of third-party full disk encryption products available, including Jetico’s BestCrypt and the free, open-source TrueCrypt.