Home Computing Security Awareness

Home Computing Security Awareness
Home Computing Security Awareness
Home computing carries the same sort of risks to your personal information and personal
financial information that industry computing does to sensitive Company information.
The purpose of bad actors in the home computing environment is the same as bad actors in the
business environment, namely to steal your sensitive information, gain the ability to infect your
home computer with malware and spyware, and derive some financial or personal satisfaction
rewards out of disrupting the life of the home computing victim.
“Eternal vigilance by the people is the price of liberty!” This is just as true today for the safety
and security of the home computing environment as it was in 1837 for President Andrew
Jackson, as he made his farewell address on leaving office.
The purpose of this short Home Computing Security Awareness Module is to help the home
computing user identify common threats, and to defend themselves, and their data against bad
actors working hard to deny them the “liberty” to pursue their information freedom of use,
without going to the extent of turning off their computer access to the world outside.
There are multiple layers of protection in your radial tires to protect you from road hazards, and
you need the same sort multi layered approach to protecting your computer. Up tp date OS, Up
to date Firewalls, Up to date AV protection.
The starting point of safe and productive usage of your home computer is to defend it against
the bad actors of the world with multiple layers of defenses.
Defensive Computing
Define Appropriate User Access Level
Starting at the initial user definition level and creating a Restricted Windows User for ordinary
access use and a Windows Admin User for computer maintenance and software installation.
o The Restricted Windows User is walled off from the core of the operating system.
Windows 7 calls this a “standard user”. They cannot insert/update/delete anything in
the C\Windows folder. The operating system is helping you defend itself against
manipulation by malware if you are logged in as a Restricted User.
o Only log in as the Admin User when you need to actually tweak your system. It is not
fool proof against malware infection, but it is a defensive layer.
Develop a Strong On-Line Password Model
Begin your protection layer efforts on – line with a strong Password model.
Don't use obvious base-words or clues like a name, birthday or date, these are easier to
crack than whole phrases.
Take advantage of length. An 8 character password is many times more difficult to crack
than a four digit password.
For even more security, try to use "nonsense words." Combine these with numbers,
upper case and lower case characters, and symbols as well to make memorable, secure
passwords. For example, start with a word like “catdogs”, and substitute upper case,
symbols, and numbers, such as “Ca1d0&5”. Having a base word helps you remember
your substitutions.
Some password sites restrict length and symbols, so know what the site requires before
you create your password. The example “catdogs” could have been “Ca1d095” for a no
symbol, 8 character site.
Another alternate scheme is to use a memorable phrase to create a password using the
first or last or some other sequence from the sequential letters to make a password
model you can remember.
 Example: “Give me liberty or give me death” could become “Gml0gMd”
You can write down your passwords, but keep them secure. A wallet card is much more
secure, and more mobile, than a sheet of paper kept close to your computer. Do not
write your password anywhere where it might be seen or found.
If you store a password file on your computer, encrypt the file, and be sure to
remember that password or write it down!
If you have trouble remembering all the passwords you need, try using a password
manager or password vault application, which can reside on your mobile phone for
convenience and security. They can store all your passwords securely using a single
master password, and your phone’s encrypted storage will keep it secure.
Consider having multiple levels of passwords.
 A simple easy to remember level for sites which you access to read for news or
entertainment. Newsblogs, recipe sites, hobby sites, newspaper sites, all fit this
definition. This is a throwaway level of password. No great harm comes to you if
someone cracked it. Do not use the same password generation logic for these
as for your more protected level of passwords!
 Use a higher level of more protective passwords with alpha, numeric, and
symbols, if possible, for sites where you expose financial or personal
information, such as credit card information for transactions. These passwords
should never be reused on more than one sites.
 Higher value sites (your bank or credit card sites for instance) should never have
duplicate passwords or base passwords with a sequential number embedded
that you change to generate a “new password”. “Bobcash 10” and “Bobcash11”
are not really different passwords to use for two ATM accounts!
 Personal Accounts of high value should have the password changed every 90
Never tell anybody your password. Somebody could overhear you, or the person you
told could let it slip. Knowing one or more of your passwords may help a bad actor guess
more of them.
Be watchful of “shoulder surfers” as you enter your passwords, particularly in public
Change your passwords periodically or whenever it may have become compromised.
Frequent password changing is required by company policy or federal law in some
businesses, but may encourage users to choose weaker passwords or write down their
password near their computers. Don't re-use an expired password.
High value accounts, such as your electronic banking, may offer the option of a One
Time Password system (OTP), using your mobile phone to deliver your single use
password. This is very secure since you never use the same password twice on that
It is also possible to obtain your own OTP phone application, and link it to your personal
site accounts in some cases. This again provides a very secure password if the option is
Protect Yourself Against Malware Attacks
Always have up to date Anti-Virus software, OS, and third party software updates on your home
computer, and update it as new patches come out for the AV software.
Protect yourself and your home computer with an Internet firewall. Never turn it off as it is the
first line defense against downloading malware from the Net.
Remember that all protective software is looking back at what is known to be bad, and avoid
questionable sites and activities where you might be more likely to discover the latest and
greatest malware!
Never download anything because of a pop up warning, as it is probably a malware scam.
Update all of your software regularly, not just your Anti-Virus package. Cyber criminals work to
exploit vulnerability and the software vendors work to prevent them from doing it. Use the
latest versions to help keep your computer safe.
Consider un-installing software that you do not use and keep updated, to minimize potential
Be careful with USB key sharing. Use your anti-virus scan feature to scan any key that has been
in someone else’s computer. The USB drive may share more than the pictures you think are on it
with your computer! An infected USB stick is a common carrier of malware.
Protect yourself from a lost USB key by using encrypted keys for your portable data storage. If
you lose it, you may be inconvenienced but you will be protected against identity theft or theft
of financial data that you might have on your key.
Don’t be tricked into downloading malware.
o Be suspicious of any link or attachment in unknown email, instant messages or social
network post.
o Do not click Agree, OK, or I Accept in banner ads or popups windows that offer to
inspect for or remove malware or spyware. It is often actually malware offering to install
o Be careful of downloading “free” games, music, or software offered on websites you are
surfing. They are common means of malware infection.
Always Be Skeptical
When you are on-line and an update window pops up saying you need to update this or that
plugin, such as Flash, be skeptical. It is often a scam to get you to expose information to a bad
actor site. Go to the actual software site to check for upgrades. Only download upgrades from
the original software site!
Keep a healthy skepticism regarding unsolicited e-mail to your account offering anything
potentially attractive to you for just a button click on an attached link, as it may be Phishing!
o Phishing, the act of offering a lure to see if you will bite, is more and more prevalent as
an email based attack.
o Offering some great deal or special information link just for you, from someone or some
business you do not know may be an attempt to lure you to a site and acquire your
personal information as you “register” for the deal or special offer.
o Another common Phishing scam is to send you an email warning about a large account
charge or a cancelation of your account from a business you supposedly know. Examine
those links and addresses carefully!
o Look for scam links that show a different address than expected when you hover over
them. Also look for misspellings or slight changes in site names which you think you
might know.
o It is trivial for a scammer to forge a “From” address to make you think you are dealing
with a known business.
o If you get a request for any personal or financial information update, or to confirm your
account information, never click a supplied link in a note. Go to the actual site of your
bank or store account directly, and see if they are messaging you to make some account
update or change. Don’t get caught by the Phisher!
Think Before You Share Personal Information On-Line
Your personal and family privacy depends on your ability to control the amount of personal
information that you provide on-line and who has access to that information.
Identity theft is a major concentration of bad actors, and can be embarrassing personally and
financially injurious to your family members.
o Read the privacy policy of websites before you contribute personal or financial
o Privacy policies should clearly explain what data the website gathers about you, how it is
used, shared, and secured, and how you can edit or delete it.
o Understand that some social media sites repeatedly change their sites, in the name of
adding functionality and features, which break down the previously applied privacy
barriers of the users, requiring them to be reset over and over.
o Monitor and know when your social media site has broken your privacy barricades and
know how to reestablish them!
o Do not share more than you need to.
o Do not post anything online that you would not want made public.
o Minimize details that identify you or your whereabouts. Don’t post your plans for trips
and travel for the world to see on your social media sites. Burglars use Social Media too!
o Consider disabling your geo locating functionality for your camera if you post pictures.
Knowing the location tag of a picture gives a lot of information to a scammer trying to
establish a “connection” to you, and may tell him where you or your children hang out,
work, or live, or go to school.
o Keep your account numbers, user names, and passwords secret.
Only share your primary email address or Instant Message (IM) name with people who
you know or with reputable organizations. Consider a second email account for public
use which you can ignore or delete without any loss.
Avoid listing your address or name on Internet directories and job-posting sites.
Be Cautious!
Enter only required information—often marked with an asterisk (*)—on registration and
other forms.
Choose how private you want your social media profile or blog to be!
Modify website settings or options to manage who can see your online profile
or photos, how people can search for you, who can make comments on what
you post, and how to block unwanted access by others.
Monitor what others post about you and your family members.
Search for your name on the Internet using at least two search engines. Search
for text and images.
If you find sensitive information on a website about yourself, look for contact
information on the website and send a request to have your information
Regularly review what others write about you on blogs and social networking
Ask friends not to post photos of you or your family without your permission. If
you feel uncomfortable with material such as information or photos that are
posted on others' websites, ask for it to be removed.
Be selective about Friends. Consider adding only those you actually know or those that
you have friends in common. Don’t assume that a friend of a friend is your friend until
you inquire with your real friend.
Social engineering, the attempt to solicit identity information from a user on a social
media site, usually starts with the friends you do not know. They can gain a lot of initial
knowledge about you by reading what you post. They can get a lot more by careful
communication thru your site.
Don’t share everything! The world does not need to know everything about you.
Wireless Internet Security Risks
Home WI-FI Network Issues
Wi-Fi networks (generally standard 802.11X) allow people to wirelessly connect devices to the
Internet, such as smartphones, gaming consoles, tablets, and laptops.
Because Wi-Fi networks are simple to setup, many people install their own Wi-Fi networks at
Many home Wi-Fi networks are configured insecurely, allowing strangers or unauthorized
people to easily access your home network or anonymously abuse your Internet connection.
To ensure you have a safe and secure home Wi-Fi network, here are a few simple steps you
should take.
o Limit the access to your Wi-Fi Access Point by taking time to set up security when you
set it up.
Always change the default administrator login and network password to something only
you know. The default values are available for almost all brands on the Internet open to
anyone! Never leave the defaults in place.
o It is recommended to disable Administrator access to the settings thru the wireless
network. Set the configuration to require wired access thru an Ethernet cable if
o If your access point does not have this option, disable HTTP and require HTPS, which
supports encryption.
o Change the wireless network name (often called the SSID) to a name known only to you.
Never use the default network name.
o Set the network name to Non-broadcast or Hidden.
o Enable encryption on your network by activation of WPA2. Never run with WEP or an
open Wi-Fi network. An open network allows anyone to connect to your access point.
o Make sure the network password is different from the Administrator password and not
easily guessed. Recommended length is generally 20 characters. You only have to enter
it once for each device using the network and then it is remembered by the device.
o Write down or electronically store this network password in some non-obvious secure
place, not taped to the access point!
o If you allow guests to use your network, you may want to change the network password
after they leave.
o Turn off or disable WPS. Recent vulnerabilities with WPS have been uncovered which
could give an outsider access to your wireless network if it is enabled.
Use of Public Wi-Fi Networks: Security Issues
 The easiest way to eavesdrop and wiretap internet connections is to do so through public Wi-Fi
 Public Wi-Fi security in most public hotspots that you find in cafes, coffee shops, airports,
schools and hotels is weak to non-existent.
 Hotel Wi-Fi or wired access that you paid for is not automatically always safe either. You are
putting a lot of trust in the operator of the hotel network!
 The FBI has warned travelers there has been an uptick in malicious software infecting laptops
and other devices linked to hotel Internet connections.
 The FBI stated: "Recent analysis from the FBI and other government agencies demonstrates that
malicious actors are targeting travelers abroad through pop-up windows while they are
establishing an Internet connection in their hotel rooms”.
 Open Wi-Fi hotspots run with no security encryption which makes them very insecure! Consider
the use of a Virtual Private Network (VPN). The VPN tunnel will not allow your computer to be
connected to two Internet pathways, cutting off the bad guy’s access route. You are transferring
data in an encrypted tunnel. VPN services are available for a modest monthly fee if you need to
use a lot of open Wi-Fi, and bandwidth limited free VPN service is also available for occasional
users. Check it out.
 Consider the use of only encrypted Wi-Fi hotspots outside your home. This is not as secure as
VPN or your own home network can be, but it does provide better protection. Starbucks
operates an encrypted network at their stores, as do others. Check before you connect!
 Consider the use of a USB cellular data card for your communication access while traveling. A
cellular connection is encrypted and much more secure than Wi-Fi or a hotel wired network,
although you will have a monthly fee.
If you have an iPhone, or Android SmartPhone, you can install a Personal Hotspot App with a
data plan to allow your iPhone to act as your laptop’s cellular connection. This is a very secure
encrypted connection to the internet for a fee of about $30 to $50 a month currently.
Speed and performance of SmartPhone Hotspots are comparable to local Wi-Fi.
If you are limited to using open Wi-Fi hotspots, you have the potential for interception of any
data transferred, thru Wi-Fi Spoofing (establishment of false networks or false sites to steal your
authentication and data).
o Browsing Web sites with HTTP unsecure access rather than HTTPS secure encryption
exposes any data you send over the Internet.
o The Wi-Fi hotspot sponsor or another user in the immediate hotspot area can intercept
your login information thru tools such as Firesheep.
o In a practice known as HTTP session hijacking (or “sidejacking”) the pirating software
intercepts browser cookies used by many sites, including Facebook and Twitter, to
identify users and allows anyone running the program to log in as the spoofed
legitimate user, and do anything that user can do on a particular website.
o Spoofing can get everything you send if it is established between you and your intended
receiver site, such as a hotel or airline reservation site, where you would typically be
exchanging personal information, identity information, and credit card information.
This is a Man-in-the-Middle attack. You are sending to the bad guy and he is recording
your information and sending it to the intended site but now he has a copy of your
identity and authentication!
o Spoofing can also include controlling the Wi-Fi to downgrade your HTTPS to HTTP
access, leaving you vulnerable to data hacking. If using Wi-Fi, be alert to the status of
your connection as a bad actor may change it after your session is established.
o Never send your personal identity information, or financial information except thru an
HTTPS connection which has secure encryption!
o Avoid open Wi-fi if at all possible when you are off of your home network!
Protecting Your Finances
Theft of your credit card information is a common hacker attack goal. Even if you are not liable
for loses above a certain amount, the inconvenience of having to cancel accounts, and open new
accounts is major.
Consider the use of pay services like PayPal that allow you to conceal your actual credit card
information from your transactions.
Consider the use of a reloadable account card, especially for family members playing on –line
multiplayer games, which often have fees to cover electronically.
MasterCard, Visa, and American Express all offer such cards, and losing account information is
not the level of hassle that losing a regular credit card account identity bring. You also limit your
losses up front by deciding how much balance to load on the cards.
Do understand the fees associated with these cards carefully before you select one. Shop
around as there is a lot of variance and deals.
Physically destroy hard drives in obsolete PC’s before you take them to recycle. Even if you have
a high grade disk wiping program, your information can still be recovered.
Encrypt sensitive files on your hard drive, such as tax returns or your monthly account
statement storage files. These files could be very dangerous if malware copies them out to the
bad guy.
The Home Computing user faces the same challenges as the Business Computer user, but with
many less resources to help you. You are on your own.
Preparation of your defenses and maintaining them in a current up to date status is the key to
protecting your computing environment.
A cautious attitude and approach to information sharing is also key to protecting your family
and assets.
Make sure that everyone in your Home Computing user environment is aware of the risks and
the steps to take to mitigate those risks and protect your family’s security!
Check for advice and information on how to make your home computing environment safer at:
Windows Support-Security, Privacy, and Accounts
Stay Safe Online.Org
Microsoft.Com Safety and Security Center
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF