Personal Computer and Network Security

By James Panter

When discussing computer security, there is one constant, threats are ever changing; new programs are developed, new updates are released, and hardware upgrades are constantly being researched. To combat threats to personal computer and network security users must deploy a wide range of tactics. These tactics, once employed correctly, will empower any average user to feel confident that they are doing everything required to be safe while using the network on their personal computer system. And the full integration of these tactics, deployed simultaneously, will ensure complete confidentiality, integrity, and availability of personal computers and networks.

The topic of what tactic should be employed first can not be readily defined. There needs to be a basic understanding, that security threats come from multiple sources. The defense tactics covered here will be: updates, user accounts, passwords, Anti-Malware (Viruses), OS tools and web browsers, backups, upgrades, and LAN Security. It must be understood that this paper will not be endorsing any particular program, and relies on the user to have a certain skill regarding installing and changing objects. This paper also assumes that the user is either using a Windows computer or a popular GNU/Linux flavor. Most of the tactics contained here will cover across platforms, but software requirements will vary according to each individual system.

All devices that are attached to the network, and especially the Internet, should always be fully updated. Some tactics described here require proper updating to be most effective, especially when considering system updates. Many security fixes and patches are included with new system installs and software should be updated as soon as available. Updates are not the same as upgrades (which will be covered later) and as such rarely require purchase, they are parts of the programs already installed on the system and have already been covered by license. End user license agreements and release notes cover information changed, important information regarding usage rights, and distribution permissions.

All modern computer systems employ a multi-user environment, and all users of a computer should have a corresponding user account. Many home users choose to only deploy one user account for the entire household, resulting in a fundamental breakdown in PC security. If taken into account that the "main" user profile on a home PC has administrator privileges; any threat, introduced by any user, has access to the most important files on the PC. GNU/Linux systems aren't nearly as vulnerable by default, but should follow the same conventions due to major implicit deny opportunities.

When selecting account types, selections presented are typically straight forward, and it should be known that there needs to only be ONE administrator

account per computer. Being a "power user" is not an account downgrade when the power to escalate privileges is readily available, it merely makes for another line of defense. Also, the "guest" account deserves some mention; guest accounts allow a random person access to the basic functions of the system and have no power to change parts of the system, either intentionally or not (including Internet access). It is a good practice to employ a guest account if you are likely to encounter unauthorized users.

Multiple users should especially be employed when permitting children to operate the fully functional PC. There are certainly files that children should not have access to, and guest user accounts limit access to these by default. Access control for minors should also be restricted by program, access time, and content. Many students will need access to word processing, spreadsheet, and web browsing software; and access to these services should be closely monitored by responsible, knowledgeable adults.

User accounts require strong passwords to be secure. This tactic applies to the local PC user as well as accounts established on the World Wide Web. Strong passwords can only be secure if they can be kept secret. Passwords should never be given out or written down and left in easily accessible areas. It is, however, good practice to write down complicated passwords to familiarize yourself with them, but to also secure that in a safe location for future reference, or in case accounts must be accessed by others in an emergency. Strong,

secure passwords will be complicated when viewed on a character by character basis. Strong passwords, by moderns standards, will be no less than 8 characters long and will contain an assortment of upper and lowercase letters, digits, and special characters (achieved by holding shift and pressing a number key). Passwords should not be words that can come from a dictionary or strings of numbers in succession. Also, passwords (even strong ones), should never be based on any personal information. Personal information includes many subjects, including: phone numbers, addresses, names, children names/ birthdays/years, pets information, and especially social security or bank account numbers. Not only will passwords based on personal information make it easier for personal threats to obtain user information, but if the password is cracked, it gives an attacker much more information to use to manipulate a user identity.

However confusing modern password tactics can be, something called a pass-phrase can make remembering easier. A pass-phrase will allow a user to remember complicated strings of numbers, letters, and characters because of the associative nature of the concept. To demonstrate we will use the string of: P@s$w()rD. To those versed in leetspeak or text talk this example looks like the dictionary word password, and is one of the de facto DO NOT USE passwords because of this pass-phrase correlation. Although this example qualifies as a strong password, it is only used to illustrate the idea of a passphrase. By using a pass-phrase: "$Un4h1N#" can be read to a clever user as "sunshine." Notice the $, 4, 1, and # are just manipulation of syntax. The

password used the $ for a substitute "s", so it is easy to replace $ with 4. The 1 stands in for an i, and the pound does another double substitution, the e becomes a 3 and that is substituted by the #. Making the password harder to remember if viewed by an observer. 7ry&H1S!

Once a strong password has been established, according to the aforementioned tactics, it is very difficult to crack with a brute force attack. Such an attack could take thousands of hours of processing power to crack, a resource no attacker is willing to invest for a single password. An easier option for crackers is to somehow deploy a malicious key-logging program onto a computer system. Such software is readily sold in stores and is useful for companies and schools to monitor productivity in their environments. The widespread availability of these types of programs, along with their relatively small size and ease of use, allows an attacker to embed the malware into a Trojan (named for the famous horse of Greek Legend to indicate a harmful package inside a trophy object). Trojans resemble seemingly harmless programs, possibly promising to adjust the mouse cursor, and/or allow the unsuspecting user access to a variety of vanity accessories. Such accessories are rarely if ever delivered, having access to the system is the only purpose of these virus'. Some rootkits are deployed by Trojans, rootkits hide in the host and can act as a beacon to alert the attacker. Another popular tactic for crackers is to develop a program that looks and acts much like an anti-virus program or a registry modifier (cleaner). Once these programs are installed they will usually

expect the user to enter a credit card or other personal information before cleaning the [enormous amount of] infections. Many quality AV/AM programs are free, or allow a user to deploy and operate them, to ensure security, before purchasing.

The average home user will often times not know when malicious software is in effect if there is no anti-malware software installed. When deployed properly, anti-virus and anti-malware are crucial defense mechanisms for the home user. If a computer has access to the Internet, some sort of AV/AM tactic should be deployed. Quality AV software will actively scan files for virus signatures to ensure security, even if the computer is not being used. It will also detect and defeat attempts to corrupt file systems and prevent virus reproduction. Virus signatures are constantly updated and are stored in a central database on-line. All AV/AM software must be regularly updated to achieve the best protection available.

Many Anti-Malware programs also incorporate a form of a firewall. A firewall prevents unwanted access to attackers by limiting the number of ports that can be accessed by the network. All popular platforms can support multiple firewalls and they can be found in a variety of places including hardware versions beside routers and switches. In a regular PC environment a firewall is by default, enabled, allowing real-time protection "just out of the box." Windows firewall is controlled by Windows defender and the User Account Control (UAC).

UAC is a Windows only program and is another tactic enforcing the multi user environment. UAC receives permission from the user to allow actions to be taken. Every decision made on a Windows PC is passed through the UAC, from login to log-off. It sort of enables a user a last line of defense before deploying potentially harmful programs and prompts every time the user opens a program not already cleared by the access control list (not covered here). Users can become frustrated with this aspect of the program, often allowing everything that says "ok" or even turning off the UAC altogether. Users with higher levels of permissions receive fewer UAC warnings, and higher UAC control. While lower permission settings, such as those of a standard user, allows the UAC to prompt for higher credentials if faced with unauthorized activation or changes. UAC controls the ports available to the windows system through the firewall and when a malicious program is allowed access through, is given full functionality in the system environment. The Windows Firewall, along with Windows Update and UAC can be accessed through the Control panel.

The ability to just uninstall programs is another widely deployed tactic, and the uninstall programs feature is also part of the control panel (in a GNU/Linux system, the package manager does this). When a user feels compromised, a mere uninstall of the last program run has great potential to cure the problem (plus a virus scan for good measure). Many spyware plug-ins and ad-ware Trojans can be discovered by trying to uninstall the programs that delivered

them. A user curious could even play Cybercop with the information that displays on such failed uninstall attempts.

Modern browsers and networking technologies are designed with security tactics in mind. When a browser encounters a potentially malicious web page or download (based on certificates and other information) it will prompt the user to not go further. Also, when a web page is not secure an indicator is usually displayed in the browser (normally an open lock, or a prompt asking to display non secure items). Normal web pages, without forms nor requiring input from the user, can be served insecurely and have no effect on the end-user. However, when a web page does meet that criteria, a more secure protocol, called https, should be employed. An average user can check this by reading the beginning of the web address, http is not secure, when https, is. Https is likely to be encountered on most user websites, it is only when users stray into articles, untested links, and blogs that the protocol should be closely observed. This means that users need to always be aware of the exact site they are visiting and what links lead where. A general guideline for users to follow would be to always manually type in the web address, or only click trusted links (many word processing programs can create links and allow a user to keep a trusted list. Copy and paste works well for this).

Information Security has a definition for information, it must be available for the client to access. The basic idea of this is, "will the file be there when the

user requests it?" To ensure files are always available to access, a good tactic to deploy is a backup plan. Backups are very useful if the computer system is in danger of compromise or if a user decides to upgrade. Backups can be done in real-time using complicated programs across arrays of hard drives (for redundancy, a cornerstone of the availability concept), backing up tetra-bytes of data at a time. The average home user may never see this type of backup being done. However, if that user uses a cloud service to upload files for backup (a very viable and logical solution) they are in fact using that method. Many users will simply burn images and audio files to a CD or DVD rROM, allowing short term backup options. The most secure, and possibly simplest way to backup files, as a home user (companies may have a policy against personal backups of company files), is to copy and paste files onto a flash drive (thumb drive, SD card) or an external usb solid state drive. This technology is very stable if powered down and stored in correct conditions. Large corporations employ backups using this method, then store the data in sealed vaults. SD cards are available in an array of large data sizes in a relatively small card. A standard jpeg photo takes ~1/1000th of 1GB, allowing hundreds of photos to be securely stored for a great many years. Remember that backups are only useful if carried out and regularly updated.

Updated software is only good for as long as the hardware is viable and free of defect. Hardware (hard disks, video cards, ram, etc.) is machinery and like all machinery, is prone to wear and tear. Many home users will elect to

upgrade their computer system if a catastrophic hardware failure is encountered. To ensure the data and information security through out the upgrade process, users should always remember to read all documentation and license information that comes with their new hardware. Many times hardware will only be compatible with certain other pieces of hardware (namely, the CPU/GPU and Processor/Socket relationships), and in these cases a trained technician should be consulted. The average life of hardware is approximately 5 years, this does not mean a hard drive will not fail after 6 months or a motherboard won't last 10 years, it is just an indication that a PC is made of many hardware components and they will fail at one point or another. Hard disk drives are notorious for failing, and this understanding prompts the action of regular backups and secure data storage. Many times, if a rootkit is allowed into a computer's boot record, the only recourse is to completely format the hard drive, meaning a complete loss of data on that drive. Virus' have also been known to burn out motherboards, video cards, hard disks, and RAM. When replacing failed parts, users should always consult a trained technician to ensure system security.

On the Local Area Network (LAN) ultimate security boils down to the gateway, to a broadband home user, it is the router supplied by the Internet Service Provider (in the dwindling dial-up market, the gateway is supplied at the ISP). The gateway, hereafter called a router, is an interface between network systems. Some routers, largely on the Internet, only talk to other routers and are not connected to end users at all. However, all routers perform the same

function, directing network traffic to it's respective destination. Barring a long explanation, know that those destinations are known as IP addresses, and are probably familiar to users (192.168.254.1). Every device plugged into a router, whether through a wireless connection or a hard wired LAN has a unique (private) address. Home networking is generally accomplished on a router, and to ensure security, these must be configured correctly.

Nearly all home networking routers offer wi-fi, which defines the greatest threat to user security, and clarifies the importance of proper configuration tactics. Wireless routers must be password protected by WPA2 or stronger encryption standards, as well as establishing unique login credentials. An ISP supplied router will likely offer WEP encryption already active, however, WEP encryption is insufficient to protect the home wireless network and must be upgraded as soon as possible. To increase security a router may also hide it's broadcast SSID, essentially requiring both username and password for wireless access. Many crackers will roam neighborhood streets "Wardriving" for open home networks they can exploit, and the tacts described will foil those attempts. Many routers are also equipped with the ability to limit the times allowing Internet access, and to ensure total security, every device with granted access to the network can be assigned it's own address, using DHCP. To learn more about how to configure DHCP, and parental controls, refer to the individual router software and documentation.

Effective Personal Computer and home networking security entails many tactics, employed in a variety of ways. Security threats to user information originate from multiple sources, but can be defeated with only a handful of well tested tactics. Properly updated and configured anti-virus, anti-malware, and firewall software will ensure Malware will have no foothold in computer systems by actively scanning files and ports for known virus signatures. Complicated passwords, and the pass-phrases that make them easier to remember, will not only allow personal protection for individual user accounts but also will make password cracking exponentially more difficult. By controlling user accounts with UAC and monitoring which programs are installed, with the uninstall utility, a power user can ensure the availability of the system information. The range of tactics deployed on a system may be defeated at any time, because of the ever changing nature of threats to the system. Our defense tactics to the unknown threat are regular or scheduled system and software updates, backups, and hardware upgrades. Home networking defenses range beyond the single computer system, with many attacks being directed at the web browser and gateway. Paying attention to the information displayed in the web browser and practicing safe browsing techniques, will ensure users are being the most secure on the world wide web. And by securing a home wireless router with a nondefault password and user combination, WPA2 (or better) encryption protocols, and a non-broadcasting SSID; users can be protected from Wardriving, crackers, and unwanted neighborhood users. Only the full integration of these tactics, deployed simultaneously, will ensure the complete integrity, availability, and

confidentiality of personal computers and networks.