Home Network Security Basics

Whether you're starting college or working on a new business, you'll benefit from applying basic best security practices. I'm going to simplify everything you should have on your personal computer (PC), why, and with recommendations so you're not left to figure it out on your own. Follow this cybersecurity guide and become less likely to be a victim.

---

Run System Updates

Yes, I'm serious. This is first because ignoring operating system (OS) updates is still a trend. It is also the reason for a lot of successful cyber attacks. As with most things on this listacle, your OS does not negate the importance of a solution.

If you're afraid that an update will break something, run backups beforehand (covered later). Check available updates and temporarily delay any that may disrupt something you need to do now. Easy example: Firefox updates require restarting the browser before you can resume "internetting." But again, update the OS when prompted and restart the machine afterwards.

Strong Passwords

I'll keep this short because you've likely heard most of this before already. Your passwords should:

1. Exceed a dozen characters
2. Include lower-case, upper-case, numeral, and special characters
3. Be approximately every 3-4 months
4. Be stored in a password manager
   • Bitwarden (online)
   • LastPass (online)
   • KeePass or KeePassXC (offline)

Antivirus (AV) Scanner

Install a malware scanner to ensure you're not downloading viruses, trojan horses, etc.

Windows users can choose between:

• AVG (free)
• Avast (free)
• McAfee (paid)
• ZoneAlarm (paid)

I recommend using a free app unless you're willing to spend money on one product that offers additional security features.

Want more? SUPERAntiSpyware and SkyBot Search and Destroy work well with the other AV scanners. Unfortunately, they're no longer free.

Linux folks can stack ClamAV and Lynis for advanced system security recommendations.

For macOS, MalwareBytes seems to be the best, free option.

A solid way to configure your AV scanning solution:

1. Set the AV scanner to automatically run at least weekly, when you're least likely to do anything resource-intensive like gaming, media production, and backups. Remember to keep the system powered on during that time. If you have a short time window where you're not doing "all the things," run AV scans at the same time as backups, but 1-2 days before. That gives you time to handle quarantined files.
2. Ensure the AV software updates virus signatures immediately.
3. Don't ignore notifications from it.

Integrity Checker

This is an optional way to track changes to, or integrity of, system files. It is a "software-based intrusion detection system (IDS)" that creates hashes for all files and compares them periodically. It won't stop anything but it can be set to alert you of suspicious changes. I say the average user should come back to this well after the other things on this list.

Windows users, try System File Checker.

Unix-like OS users can install AIDE.

macOS: Integrity by PeacockMedia looks good, but you'll need to ask your Apple experts.

Disk Space Cleaner

This also isn't a requirement, but I recommend it because it shows how much disk space you waste on logs and temporary files. A good disk cleaner will show you all files marked for deletion (with full file path), what those files do, and how much space you'll recover from the process. My suggestions:

• BleachBit for Windows and Unix-like OSes
• CCleaner for Windows and macOS

Secure Email Communications

Microsoft Outlook, Mac Mail, and the various Unix desktop mail clients are insecure by default. Security costs convenience. That makes it easiest to use for everyone. You have to protect yourself from spam. Verizon's Data Breach Investigation Report (DBIR) visualizes how rampant phishing is and how often it leads to stolen user credentials.

When you set up an email account, check the port number. IMAP and POP3 have insecure and SSL/TLS secure ports. If you use IMAP which syncs emails between your PC and the server, change "143" to "993." If you use POP3, for those prefer to download emails from the server, change "110" to "995." If you have an issue due to using the secure port, then maybe change it back. But try the more secure option first.

Spam Filter

SpamAssassin is the most popular anti-spam plugin I know. Check your email client for security settings and enable them.

Email Authentication

If you manage a web hosting server that doubles as an email server, there are DNS records to protect your users from spoofing. These are all TXT records.

• DomainKeys Identified Mail (DKIM) is the first step.
• Sender Policy Framework (SPF) states what email and web server IPs should be sending email from your domain.
• Domain-based Message Authentication Reporting & Conformance (DMARC) enforces SPF.
• Brand Indicators for Message Identification (BIMI) shows your logo to recipients using supported email providers.

Traditional Firewall

There are many types of software and hardware firewalls. You need a traditional, host-based firewall to close unnecessary ports. For the average user, the easiest method is to use the strongest preset that allows you to do everything you need.

Windows Defender Firewall is already installed.

Unix-like OS can choose from UncomplicatedFirewall (UFW), Firewalld, and many others.

Apple Firewall is included by default.

Firewall on Home Router

Your home router should have security features. If not, you should replace it.

1. At the very least, change the router username and password.
2. Advanced users may also try whitelisting Media Access Control (MAC) addresses and restricting how many devices can connect at once.

If you have Wi-Fi enabled:

1. Disable it if you don't need it.
2. If you do need it, create a long password.
3. Use WPA2 for better encryption, not WEP.
4. Turn off SSID broadcasting so that it's harder to find..
5. Disable Wi-Fi Protected Setup (WPS). This is the button that allows you to quick-connect to a Wi-Fi network. It is an insecure protocol.
6. Advanced users may consider using a lower power level so that the Wi-Fi router is inaccessible outside of the home.

Web Browsing Security

I'm not going to compare web browsers at this time. The most popular, fully-featured ones are:

• Firefox
• Chrome
• Vivaldi
• Falkon

Choose what works best for you and gets regular updates. This is the first technical line of defense against cyber attacks, particularly for when you can't modify a router or Wi-Fi access point (AP).

Security Settings

The following settings should be present in any fully-featured browser.

1. Many websites refuse to work if cookies are disabled. Alternative solution: set the browser to delete cookies upon exit.
2. Use a password manager mentioned earlier in the post, not the browser, unless they're unimportant user credentials. It can be hacked.
3. Delete browsing history upon exit.
4. Disable websites' ability to enable your microphone and camera.
   • Your mic should be muted when not in use.
   • Your webcam should be covered by tape or a fancy webcam cover.
5. Prevent the browser from automatically downloading files without your permission.
6. Consider researching advanced security tips for your web browser.
7. If you like bleeding edge tech, check out Quad9 for DNS-over-HTTPS (DoH). It can add security and speed to your online activity. This may conflict with Virtual Private Network (VPN) settings.

Security Extensions

Browser security extensions block suspicious URLs, known malicious URLs, and JavaScript. Privacy Badger and uBlock Origin are some of the best browser extensions for security. Install one.

"HTTPS only" settings are cool. Unfortunately, there are popular, legitimate websites without a valid SSL certificate. Some only work with "HTTP." Use it if you find it doesn't prevent access to important websites.

VPN for Privacy

There are many valid reasons to use a VPN. Some can save money by just adding a third party DNS resolver in the browser or router. For those who want VPN software, don't just run to NordVPN because YouTubers keep doing sponsored videos. Research the best VPN provider for you. And understand best practices for using a VPN. Ensure it includes SOCKS5 for better obfuscation.

Multi-factor Authentication (MFA / TFA)

Enable MFA for website logins,smartphone applications, and your computer if possible. There have been sophisticated attacks where MFA was bypassed, but it is better than nothing.

Backups and Snapshots

You should backup all important data at least monthly on two separate locations. The "how" depends on your preference. The most common:

• External drive
• Google Drive
• Apple Cloud

Backups left on that same machine are worthless if the machine is hacked. You can choose two external drives, or mix and match the options above.

Cybersecurity Training

Cybersecurity experts sometimes call this the "security education, training, and awareness (SETA) program." The military called it security awareness training. The Department of Defense (DoD) offers some free interactive security courses. Federal Virtual Training Environment (FedVTE) publishes cybersecurity training videos for US military veterans. If that feels excessive, just watch a few YouTube videos explaining phishing, ransomware, code injection, and the importance of backups.

Let me know if you think anything is missing or would like to see more content about a particular topic.

Tags: college, cybersecurity, IT, linux, windows

Comments? Tweet