Serving as Unofficial Security Support for Family and Friends

  • Article

By Deb Shinder, Co-owner, TACteam (Trainers, Authors and Consultants)

See other Security MVP Article of the Month columns.

It’s a common dilemma for doctors and lawyers: finding themselves cornered at dinner parties, or called at home, by family, friends, or even minor acquaintances who want to ask for professional advice. Almost everyone has a health issue or a legal problem now and then, and when we do it's natural to seek out people who we know have expertise in the field.

Today, almost everyone has an Internet-connected computer, too. If you’re an IT professional, chances are that—unless you’ve kept your job a secret from everyone you know—you’re often asked to provide unofficial technical support for people in your family or in your social circle. Not so long ago, this tended to be primarily a reactive role; you got the call when the hardware or software stopped working. Computer users—especially home users—didn’t give much thought to securing their systems… until recently.

Now, however, thanks to the barrage of publicity surrounding high profile attacks and breaches, even Grandma is worried about protecting her computer from hackers and viruses. This means that you’re now likely to be asked to take a more proactive role in helping those around you to practice preventative medicine to protect their computers, home networks, and data.

Tailoring the Solution to the Environment

Sometimes the solutions that you suggest will be the same as those that you deploy in the business environment, but there are differences, too. As a security professional, you might like to see every home network running Microsoft Internet Security and Acceleration (ISA) Server at the edge, with domain-based access controls and with Microsoft System Center Data Protection Manager 2007 for continuous backup, but you know that this isn't economically feasible or even, in many cases, desirable.

In computer security, as in physical security, solutions must be tailored to fit the budget, capabilities, and even the philosophical mindset of the particular person or company. Even if it were affordable, the average person has no need or desire for a personal bodyguard, bulletproof windows, or a laser beam motion detector based alarm system. Those are reserved for big businesses, celebrities, or heads of state. Likewise, the typical home user’s computer security needs are much more modest than those of the typical enterprise.

The primary factors that you need to keep in mind when making security recommendations to family, friends, and acquaintances include:

  • Threat level and risk assessment

  • Cost

  • Complexity

  • Usability and accessibility

Let’s take a look at each of these in more detail.

Threat level and risk assessment When a friend or family member asks for advice about securing home or small business computers, you probably won’t be able to perform a detailed formal threat analysis, but you should ask a few questions to help to determine whether the threat level is high, medium, or low. For example:

  • How is the system or home network connected to the Internet? “Always on” connections such as DSL, cable, or Fiber Optic Service (FiOS) present more of a threat than dial-up connections do, simply because there’s more exposure to possible attackers.

  • How many hours per day is the system turned on? Again, the greater the amount of time the system is exposed, the greater the potential for successful attacks.

  • What operating system is being used? In general, older operating systems are less secure than newer ones.

  • What software is used on the system and on the network? A system that’s only used to create word processing documents, check e-mail, and visit a handful of the same, safe Web sites is at much less risk than one that’s used for peer-to-peer file sharing with strangers and for visiting sites that are more likely to contain malicious controls or scripts (such as pornography sites, pirated software or "warez" sites, MP3 sites other than legitimate music outlets, and so forth).

After you’ve ascertained the threat level, you need to assess what is at risk. If an attack does occur, what would the cost (in terms of money, time, inconvenience, and even emotional impact) be? For example:

  • In a worst case scenario, having to reinstall the operating system and applications would be inconvenient. It would cost time and perhaps a bit of money if the user has to pay someone else to do it.

  • If the user keeps irreplaceable photos, personal letters, and such on the computer, losing these could cause the user significant emotional distress.

  • If the user keeps personal financial information, bank and credit card passwords, and other data on the computer that could be used for identity theft, an intrusion could be financially devastating.

  • If the user brings work home and keeps company data on the system or connects to the company network from the system and has a VPN connection set up, a successful attack could result in loss not just to the user but also to the company (and could perhaps even cause the loss of the user’s job).

Determining the threat level and what’s at risk can help you to make realistic recommendations that fit a friend’s or family member’s particular situation. If both the threat level and the risk are low, basic security mechanisms that are built into the operating system, and freeware antivirus protection, may be sufficient. If the threat level is high, or if there’s more at risk, you can justify spending more time and money on protection.

Cost Money can be a sensitive topic, especially when dealing with friends and family members. After investing in a computer and software applications, most people don’t want to be told they need to spend a lot of extra cash for security software or hardware.

Companies recognize the importance of security these days, and many are under compliance mandates from government or industry organizations so they have no choice but to spend money on security. Meanwhile, the home users and small business owners who ask for your “unofficial” advice may have very limited budgets. That’s why many of the solutions that would automatically come to mind for medium or large companies aren’t appropriate here.

Complexity Even if cost is no object, you need to take the user’s technical abilities into consideration. Unless you want to end up spending even more of your time providing ongoing technical support, you’ll want to recommend security solutions that are simple enough for your less tech-savvy friends to configure and maintain by themselves.

While you might be running the Windows Server 2008 operating system on your home network, you're an IT pro. Deploying a Windows domain and using Group Policy to lock it down is going to be beyond the capabilities of typical home users, even those who can afford to spend the big bucks for the extra hardware and for Windows Server. Unless your friends and family members are technical whizzes (and, if they were they probably wouldn’t have had to ask for your advice), the rule of thumb is: keep it simple.

Usability and accessibility Yes, home users are growing more concerned about security, but for most the main priority is still usability. Just as they aren’t willing to live in a windowless, underground house to get the best protection against burglars, so they don’t want to deal with a locked-down computer that they have to fight with in order to get anything done. For friends and family, the more transparent the security is, the better.

Best Solutions for Friends and Family

Keeping all this in mind, let’s look at two different scenarios:

  1. Security solutions that you can feel comfortable recommending to friends and family members when the threat and risk levels are low, and when the budget is, too.

  2. Security solutions for situations where the threat and risk levels are high and the user is willing to spend extra money for security.

  3. Security solutions for friends and family members with more technical knowledge and those who have more money to spend on security solutions.

What about those who fall in the middle? In that case, you’ll probably want to combine solutions from the different categories, recommending some no or low cost and easy solutions along with some solutions for which the user has to pay a bit more or needs a moderate amount of technical knowledge.

Low threat, low risk solutions Even when both threat and risk are low, users need to take some steps to protect their systems. In many cases, this can be done at little or no extra cost. Here are some suggestions for friends and family members in this situation:

  • Run the newest operating system. A surprising number of home users are still running old, insecure Windows 9x-based operating systems, and that’s a security risk. Upgrading will obviously cost some money, but if the operating system is that old, it’s actually likely that the user really needs a new computer. Hardware vendors are offering new systems at amazingly low prices, under U.S.$500. If your friends and family members can possibly afford it, they’ll find many benefits, in addition to security, in buying a new computer that runs the Windows Vista operating system. If their computers have Windows XP installed, make sure that they’ve applied Windows XP Service Pack 2 (SP2).

  • For those users who are already running Windows XP or Windows Vista, one of the most important things they can do related to security is to keep the operating system and software up-to-date. This is easy to do with Windows Update, but some people turn it off. Impress on them the importance of updating to patch newly discovered vulnerabilities. If they run Microsoft Office, they should also use Microsoft Update or Office Update.

  • Use a firewall. The Windows XP SP2 firewall and the Windows Vista firewall provide good basic host-based firewall protection at no extra cost. Those users who have DSL or cable Internet connections may have routers that include built-in firewalls. Ensure that those firewalls are also turned on and configured properly.

  • Use antispyware protection. Windows Defender is built into Windows Vista and can be downloaded for Windows XP.

  • Use antivirus protection. Antivirus protection isn’t built into the Windows operating system, so users will need to install a third-party program. There are several, such as AVG and Avast, that are free for non-commercial use. Make sure that the antivirus program is set to automatically update the software and to download new virus definitions, and also to automatically scan for viruses, including scanning e-mail.

  • Use strong passwords for logon (at least 8 characters, a combination of uppercase and lowercase alpha and numeric). Make the password something that is easy to remember without having to write it down. Don’t enable automatic logon. Use a password protected screensaver and a basic input/output system (BIOS) password if other users have physical access to the computer.

  • When running Windows XP, turn off Simple File Sharing, rename the Administrator account, and disable the Guest account. Advise users not to log on as an administrator in Windows XP for everyday computing.

  • Disable unused and unnecessary services. Less technically savvy friends may need you to help them with this so as to not disable needed services. Be sure that Remote Desktop is disabled if the user won’t be using it. Uninstall programs that come preinstalled on the computer that are never used, especially those that connect to the Internet. Hardware vendors often install many extra applications and some of these can present opportunities for hackers and attackers.

  • Turn off HTML mail. Users should not follow hyperlinks or URLs in e-mail messages or instant messages (IMs) from people they don’t know well. They should log off IM programs when they’re going to be away. They can block file sharing in IM programs and should consider blocking IMs from people they don’t know.

  • Don’t configure the web browser to remember account names and passwords to log onto sensitive Web sites such as banking or credit card sites.

  • Make sure that encryption is enabled on wireless networks. Disable service set identifier (SSID) broadcasting and change the default settings (the administrator password and SSID).

High threat, high risk solutions In addition to all of the above, users in higher threat or higher risk situations should implement some or all of the following:

  • Use the most secure edition of the operating system. The editions that are made for business use include more security features than those that are designed for home use. Home users in high threat, high risk situations can benefit from running Windows XP Professional, Windows Vista Business, or Windows Vista Ultimate rather than Windows XP Home Edition or Windows Vista Home Basic or Home Premium.

  • Subscribe to a security service such as Windows Live OneCare, or use a more sophisticated, for-pay antivirus program such as those that are available from Kapersky Lab, Symantec, McAfee, and other security companies.

  • Use stronger passwords or passphrases (12 to 14 characters, uppercase and lowercase alpha, numeric, and symbols). Users should be advised to change passwords frequently (for example, monthly).

  • Format all disks with the NTFS file system. Set file level permissions on sensitive files.

  • Use the Encrypting File System (EFS) to encrypt sensitive files. Encrypt the temporary folder and other folders that may hold copies of sensitive data.

  • If a user is running Windows Vista Ultimate on a portable computer, it is a good idea to use Windows BitLocker Drive Encryption to encrypt the full disk in case of loss or theft.

  • Set the web browser to not run scripts, ActiveX controls, and other active content by default.

  • If the user uses a VPN to connect to a work network, don’t set it up to remember the user name and password.

  • Don’t use the default Wired Equivalent Privacy (WEP) encryption on wireless networks. Instead, use Wi-Fi Protected Access (WPA) (preferably WPA2).

Solutions for more technically savvy or higher budget users If you have friends or family members who have a bit more technical sophistication and/or bigger budgets, you might make the following recommendations:

  • Use the most secure edition of the operating system. The editions that are made for business use include more security features than those that are designed for home use. Home users in high threat, high risk situations can benefit from running Windows XP Professional, Windows Vista Business, or Windows Vista Ultimate rather than Windows XP Home Edition or Windows Vista Home Basic or Home Premium.

  • Turn on auditing to log security events to the Event Viewer log, and review the logs regularly.

  • Use a dedicated edge firewall for the home network. There are a number of low cost hardware-based firewalls on the market.

  • Set up a Windows Home Server computer for storing data in a centralized location where it can be more easily secured and backed up.

Conclusion

As home computing becomes more complex, security issues become more challenging. Be sure that your friends and family members recognize the importance of securing all devices that connect to their home networks, including media devices, gaming consoles, and so on.

If you’re an IT security professional who is asked to serve as security advisor for friends and family, your biggest challenge may be in learning to think “outside the box” of the business world and tailoring your security recommendations to meet the needs and limitations of the home or very small business environment. Remember that one size (or one set of security recommendations) doesn’t necessarily fit all, but there are some basic security measures that everyone should practice in today’s Internet-connected world of computing.