securing-your-computers

					SecureParents™                               Ten Steps to Securing Your Family’s Computers




          ParentPapers: Ten Steps to Securing Your Home
                           Computers
                                      Last Updated: 04 June, 2007

                                    http://www.secureparents.com


Welcome to SecureParents, a free website dedicated to you, the busy parent. We are
dedicated to helping you at no cost secure you and your family in today’s information
age. We understand the tremendous pressures and time limits that parents have. Our
resources are designed by experts to be simple yet provide the critical information you
need. ParentPapers are a series of papers designed by us to give you this information
in less then 15 minutes.



PAPER TOPIC:
In this paper we discuss how to secure your home computers, both Microsoft Windows
and Mac OS X.




This paper is copyright “SecureParents”. You are free and encouraged to distribute this paper to whomever
you like. The only limitation is this paper cannot be modified nor sold for commercial purposes. This paper
is distributed under the Creative Commons license, Attribution-NonCommercial-NoDerivs 3.0 Unported. In
no event will SecureParents be liable for any damages, including loss of data, lost profits, cost of cover, or
other special, incidental, consequential, direct or indirect damages arising from this documentation or the
use thereof, however caused and on any theory of liability. This limitation will apply even if SecureParents
has been advised of the possibility of such damage. You acknowledge that this is a reasonable allocation of
risk.



Page 1 of 21                                                            http://www.secureparents.com
SecureParents™                         Ten Steps to Securing Your Family’s Computers

Introduction
This paper is designed to help you and your family protect your home computers,
regardless if you are using a Microsoft Windows or Mac OS X. We cover 10 basic steps
to protecting your systems. The first 5 steps apply to both types of computers. Steps 6
through 10 are specific to each type of operating system. You may notice that most of
the 6-10 steps are similar for both types of computers, the only difference is the
interfaces used. If you have any questions or suggestions, we would love to hear from
you at info@secureparents.com.

Contents:
Steps 1-5                              pages 2-7
Steps 6-10 Microsoft Windows           pages 8-13
Steps 6-10 Max OS X                    pages 14-19
Common Mistakes                        page 20




Common Step 1: Use Two Computers, Not One
This is may be one of the most important steps you can take to protect yourself and your
confidential information. Many families have only one home computer at home. This
single computer is shared by all family members for a variety of needs. Not only do
parents use this for personal on-line banking, but their kids use the same computer for
downloading screen savers, playing on-line games, or watching real-time movies. This
combination can expose your private information to a great deal of risk.

One of the first steps we recommend is for you to have two computers at home. The first
computer can be used by your family for their day-to-day activities that do not require
significant security precautions, such as chatting on-line, playing games, or writing
school papers. This is the untrusted system. This system is untrusted because it is
exposed to so much high-risk activity by multiple people. Your second computer should
be dedicated to security sensitive activities and should only be used by parents or other
responsible adults. This is the trusted system. This computer should only be used for
confidential activities, such as on-line shopping, on-line banking, credit report
applications, investing, or any other financial transactions. Anything that involves money
or your highly personal information should be done on the trusted system.

Your trusted computer does not need to be brand new or expensive, as it will most likely
not be using power intensive applications. However, it is critical that your trusted system
is only used by people that you know and trust and that it starts from a trusted state.
Trusted state means that you have full control of the computer and it behaves in a
manner you expect it to. Unless this computer is brand new, make sure to reinstall the
operating system and to secure and update it regularly using the steps discussed below.
You want your trusted system to start from a known, good state.

We understand however, that having a second home computer might not be an option
for a variety of reasons. If it is not feasible, we provide in step 6 an additional option for
you.




Page 2 of 21                                                  http://www.secureparents.com
SecureParents™                          Ten Steps to Securing Your Family’s Computers

Common Step 2: Safe Web Surfing Habits
Many people have the misconception that the most important step to securing their
computers is how they configure their computer. In reality the most important step is
how you use the computer. No matter how secure your computer is, often the user is
the weakest point. Instead of launching an attack against your computer, criminals use
social engineering to trick you into doing something for them. The World Wide Web has
become one of their primary means to do this. The two largest threats against you on
the World Wide Web are phishing and malicious websites. Below, we briefly describe
each threat and how you can protect yourself against them.

Phishing:
Phishing is a social engineering attack. Bad guys do not hack your computer for your
information, they ask you for your information. Using a variety of technical tricks, they
fool you into thinking that your browser is communicating with an entity you trust, such
as your bank or your favorite on-line store. Instead, they created a fake website
pretending to represent an organization you trust. When you connect to the fake
website, they trick you into giving away your private information, such as your credit card
number or banking credentials (e.g. login and password). Figure 1 shows an example of
a bogus email asking for banking information. It is an email pretending to be from Chase
Bank. In reality, it is an email from criminals who want to obtain your banking
information. Criminals send out millions of such emails hoping to find victims. If you click
on the link provided in the email, you will be sent to a website pretending to be Chase
Bank's (see Figure 2). Although the website looks legitimate, it is only an exact replica
of the real website and it is located in Thailand. If you were to login, you would have
given your banking information (user id and password to your account) to the criminals.
This type of attack that attempts to fool you is extremely common, in fact it happens so
often that it has its own name, social engineering. It’s a common attack, one you will
see repeated steps 3 and 4.




Figure 2: Bogus email from cyber criminals        Figure 1: Bogus website designed to steal
pretending to be from Chase bank.                 your banking information.




Page 3 of 21                                                 http://www.secureparents.com
SecureParents™                       Ten Steps to Securing Your Family’s Computers

To protect you, most current browsers have anti-phishing capabilities built into them. If
you were to visit a false website like the one from Figure 2, your web browser would
likely pop up a banner warning you. However, technology alone is not the solution, you
have to help too. Do not respond to such emails unless you initiated the communication
with the organization sending your an email. For example, if you talked on the phone to
a bank representative and they told you they were sending an email about your account,
you can then reasonably assume that an email from the bank is safe. However, if you
receive the email unsolicited do not trust it. Also, we recommend you do not click on the
links provided. Instead, manually enter the website addresses into the browser yourself.
For more on phishing, see the video from i-SAFE at
http://ftc.isafe.org/imgs/phishing.swf

Browser Attacks
Not only do the bad guys fool you into giving away sensitive information, they can also
attack your web browser, using technologies called client based attacks. Your browser
may have vulnerabilities that allow them to break into your computer. However, to
exploit these weaknesses they cannot initiate the connection to your browser
themselves. Instead, they entice you to visit specially crafted websites that are designed
to hack into browsers. When you visit a malicious web page, it launches an attack
against your computer through your browser without you realizing what is happening. To
help protect against this very serious, but difficult to detect threat, it is extremely
important that you visit only sites you trust. You must be cautious with websites that you
have never heard of, or dodgy websites such as on-line gambling, or sites that give
away free programs or screen savers. Depending on the browser you use, there are
additional steps you can take to secure your browser against client based attacks. Just
like you want to me sure your operating systems is patched and running the latest
version, you want to ensure your browser is to. To learn more please refer to the
excellent paper from US-CERT at:
http://www.us-cert.gov/reading_room/securing_browser/

There     are    also   technical
solutions that help protect your
system by providing rating of
websites. Such service verifies
legitimacy of most websites on
the Internet. If your browser
attempts to go to what is known
or is suspected to be a malicious
website, the program will alert
you.      SiteAdvisorTM is one
example. Figure 3 shows the
results of a Google search
where SiteAdvisorTM issued a
warning for a website it
considers to be potentially
malicious.




                                                                       TM
                                    Figure 3: An example of SiteAdvisor , which warns about
                                    potentially malicious websites. http://www.siteadvisor.com

Page 4 of 21                                                 http://www.secureparents.com
SecureParents™                          Ten Steps to Securing Your Family’s Computers

Common Step 3: Safe Email Habits
Just like with surfing the web, how you use email has a huge impact on the security of
your computer. Email has become the primary method for bad guys targeting you and
your family. Criminals are finding it harder and harder to hack into computers over the
Internet, so they are targeting you, the human, instead. They use email to fool you into
installing hacker programs (called malware) onto your computer. The infamous Nigerian
money or weight loss scams are all conducted via email.

Figure 4 shows a malicious email we received. Such email is a common, though a
rather crude, example of an attempt at social engineering. The email pretends to be a
security alert notifying you that your computer is infected. It claims that you need to
install a patch to secure the system and asks you to click on the attachment. If you were
to click on it, your computer would become infected with a malicious program called
Email-Worm.Win32.Warezov. This program first attempts to disable your firewall and
anti-virus programs, it then downloads more programs to take over your computer, and,
finally it attempts to replicate itself by spamming all e-mail addresses found in your email
address book. If you can resist the urge to click on such attachments or to respond to
scam emails and train your family to do the same, you will greatly help to eliminate the
majority of threats on the Internet today.




           Figure 4: A bogus email attempting to trick us into clicking on the
           attachment. If we do, the attachment will take over our computer.


Just as we discussed in phishing section, if you did not initiate the communication with
the sender and you were not expecting the email or the attachment, assume it is
malicious. To learn more about email scams and attacks, please refer to:
http://onguardonline.gov/spam.html




Page 5 of 21                                                     http://www.secureparents.com
SecureParents™                        Ten Steps to Securing Your Family’s Computers

Common Step 4: Safe Instant Messaging Habits
Instant messaging is another common method of communication over the Internet.
Instant Messaging (known as IM) refers to two or more people communicating in real
time by typing words to each other over the Internet. Just as with any other
communication method, bad guys attempt abuse it. There are some easy steps you can
take to protect yourself. Just as with email, you have to be careful trusting messages
sent by others. Bad guys may try to fool you into visiting bogus websites or downloading
malicious programs. For example, if your friend's computer has been infected, the
instant messages seemingly sent by your friend may actually be originated by the
malicious program that is spamming everyone found in his or her contact list.

See Figure 5 for an
example of bogus IM.
In this case someone
we do not know has
messaged us about a
patch we need to
download a program
called patch.exe. The
message       appears
sincere and very
urgent. However it is
really an attack. If we
were to download this
program,             our
computer         would
become infected and
criminals would have
total control of our
computer. Just like
email, IM is simply Figure 5: An attacker attempting to trick us. If we had clicked on the link
another technology he provided, our computer would be hacked. Unfortunately, in the real world
that criminals around it may not be so obvious.
the world abuse.

In addition to being vulnerable to social engineering attacks, IM has several other issues
you need to be aware of. Just like email, many IM conversations are transmitted in
cleartext which means that other people may be able to intercept and read your chat
sessions over the network. If you want to ensure that no one can intercept your
messages, use encryption offered by some instant messaging programs, such as Skype.
Also, keep in mind that IM software, unlike phones, often automatically records the
conversation. Everything you and your friends type may be logged at each person’s
computer. If you are discussing things that you do not want to be logged, ensure that
everyone has logging disabled. Or, better yet, simply use the phone if the conversation
you are having is highly sensitive.




Page 6 of 21                                                http://www.secureparents.com
SecureParents™                       Ten Steps to Securing Your Family’s Computers

Common Step 5: Strong Passwords
Bad guys guess passwords, its one of the oldest ways for breaking into computers or
accounts. They even have automated programs to do it for them. For example, they will
tell the program to repeatedly try a variety of passwords until it breaks into your on-line
banking account, your email account, or your Skype account. A key defense against this
threat is to have good passwords for any type of login that you want to keep secure. Tips
on how to manage passwords.

   1. Document your passwords and safeguard them. At last count, one member of
      SecureParents had over 60 different accounts requiring passwords. That is
      simply too many for a person to remember. There are a variety of computer
      programs to help you maintain your passwords. Mac OS X comes with one
      called KeyChain. However, for home use what we have found effective is to
      simply write down all your accounts and passwords on a piece of paper, secure
      the document (such as in a safe), and show your significant other where the
      passwords are located. Not only does this make a secure backup and reference
      for passwords, but if something happens to you (such as hospitalization) the
      other person can have access to all your critical on-line accounts.
   2. Use long passwords. At a minimum have at least 8 characters in your
      password. Use more if you can.
   3. Make the passwords difficult to guess. That’s the whole point here! Do not
      use words found in a dictionary, such as computer, or obvious numbers such as
      your home phone number or your spouse’s birthday.
   4. Include different characters in your passwords. Depending on specific
      requirements of different systems and websites, try to use at least one capital
      letter, one number, and one symbol. There is a large number of symbols to
      choose from, such as $, %, *, {, or :. You can even use the space bar for
      your passwords!
   5. Tricks to remember. There are many tricks you can use for remembering a
      password such as creative spelling of a word. For example, instead of the word
      schedule you could do Sch3dul-. You replace common letters with symbols
      that look or seem similar to you. Use of mnemonics is another great way to
      create difficult to break passwords.
   6. Use foreign words. If you are learning a new language, use words from that
      language then use the same tricks as above. It’s a great way to practice a new
      language and much tougher for others guess your passwords.
   7. Use different passwords for different accounts. For example, do not use the
      same password you use to view your friends on-line picture album for your on-
      line trading account.
   8. Change your passwords at least every 90 days.

If you want to test how secure your password is, Microsoft has a site where it will
determine how strong it is. Check out:
http://www.microsoft.com/protect/yourself/password/checker.mspx

Note: Many on-line financial institutions nowadays are implementing more advanced
authentication mechanisms, such as two-factor authentication. Examples include
verifying IP address of your computer or adding pre-defined images to your login screen.
In future publications we will discuss how you can best leverage these new technologies.




Page 7 of 21                                                http://www.secureparents.com
SecureParents™                       Ten Steps to Securing Your Family’s Computers

Microsoft Specific Steps 6-10
We have just covered the first five steps to securing your home computer. These steps
were not operating system specific. We will now cover steps 6-10 that are specific to
Microsoft Windows. If you want to skip this section and learn about securing Mac OS X,
please proceed to page 15.

The examples below are based on WindowsXP. To perform the following steps you will
need Administrative access to the programs listed in the Control Panel (Figure 6). This is
where you will access the different options you need to secure your computers. If you
are running a different Windows operating system, the steps discussed here apply also,
although the menus may be different. If after reading these steps you would like to take
additional, more advanced measures, to secure your system we recommend Microsoft’s
security website at http://www.microsoft.com/protect/default.mspx




                    Figure 6: Control Panel in classic view on WindowsXP




Page 8 of 21                                                 http://www.secureparents.com
SecureParents™                       Ten Steps to Securing Your Family’s Computers

Microsoft Specific Step 6: Multiple Accounts
For those of you who cannot afford or may not want two computers, do not despair!
Just as we can have trusted and untrusted computers, you can also use trusted and
untrusted user accounts. While not as effective as two separate computers, this can
help reduce risk. The idea is to establish multiple user accounts on the shared
computer. Different accounts are assigned different privileges, ranging from complete to
limited. At any given time, you want to use the account with least privileges that still
allows you to accomplish your tasks. For example, in Windows XP there are two
different types of accounts, Administrator and User (Limited). Administrator has the
authority to perform all functions, including installing programs, adding accounts and
making system-wide changes. This is a very powerful role with unlimited capabilities.
The User account has limited capabilities. For example, it cannot create new users or
install new programs. See Figure 7 below for a comparison of both account types.

You create new accounts from
the User Accounts icon in the
Control Panel. We recommend
you create and use User
account for your day-to-day
activities. This helps mitigate
risk because if your system is
compromised, the severity of
damage is often related to the
type of user being attacked. If
you are logged in as a regular
user during an attack, then the
attacker    will   have   limited
privileges as well and the
damage can potentially be
contained.       However, if the
attack is ran while you are
logged in as an Administrator,
the outcome of the attack can
be much more devastating.
Each person in your family
should have their own, unique
User account. In addition, you
may want to create Guest
(Limited) account for visiting
                                  Figure 7: Difference between Administrator and User
friends.                          Accounts.

Use the Administrator account only when you need special permissions. If you are
sharing a computer with your children, create a single account for the Administrator that
only you have access to. Make sure to safeguard Administrator's password. Create
separate User accounts for everyone (including yourself) that you use for day-to-day
activities, such as browsing the Internet, email, or instant messaging. When your
children need to install new programs, you do it for them as Administrator. This method
has limitations. At times, you may be frustrated if you cannot run a simple program
unless you have Administrator access. However, this method whenever possible as it
adds an additional layer of security. Note: future versions of Microsoft Windows, such as
Vista, make greater use of multiple accounts with limited privileges.


Page 9 of 21                                                http://www.secureparents.com
SecureParents™                      Ten Steps to Securing Your Family’s Computers

Microsoft Specific Step 7: System Updates
Keeping your system regularly updated (often called patching) is critical to risk
mitigation. The bad guys are constantly finding new vulnerabilities or weaknesses in the
programs you use. They do this by finding mistakes in how the software was designed
or developed, then exploiting those flaws. As Microsoft learns about these issues, it
develops patches to fix them (good analogy here is recalls for cars). Microsoft usually
releases these patches once a month, on the second Tuesday of every month.
Microsoft does this by publishing the new patches on their web server. Your computer
can automatically go to the Microsoft website, check to see if it needs any new patches,
and if so, download and install them. By installing patches on your computers regularly
and keeping them current you help eliminate the many ways bad guys can break into
your computers.

You       can    configure Automatic
Updates from the Control Panel. We
recommend you setup your home
system to automate the patching
process (see Figure 8). If you
choose, you can do this process
manually but automation ensures
that it is done regularly.

Note: Microsoft currently supports
automated     updates   for   home
systems on Vista, Microsoft XP, and
Windows 2000. Older systems such
as Windows95 or Windows98 do not
support this feature and should be
upgraded.




For more detailed information on
keeping your system updated, Figure 8: Setting automatic updates for WindowsXP.
please check out Microsoft’s website
at:
http://www.microsoft.com/athome/security/update/bulletins/automaticupdates.mspx




Page 10 of 21                                             http://www.secureparents.com
SecureParents™                          Ten Steps to Securing Your Family’s Computers

Microsoft Specific Step 8: Anti-Virus
The bad guys are constantly developing new programs to take over your computer
(called malware). If the bad guys can install these malicious programs on your computer
(or get you to install it for them), they gain total control of your computer and everything
you do on it. For example they can capture your keystrokes, launch new attacks from
your computer, send out spam, or set up fake websites on your system. Anti-virus is
one technology used to detect and disable such malware programs before they take
over your system. If you download a new program, e.g. a cool new screen saver, and
that program is infected with malware, the anti-virus program will detect and stop that
malicious program before it can fulfill its damaging purpose. The same is true if you try to
open an attachment, e.g. a Word document, that is infected with malware. There are
numerous anti-virus programs to choose from. We list four different options below.
However, be warned, anti-virus is becoming less effective nowadays at detecting
malware as the bad guys have been developing more advanced techniques to bypass
anti-virus. While anti-virus is an important tool in your arsenal, it alone will not stop all the
attacks coming your way. It is only one of the many layers in your defense system.

        Symantec:       http://www.symantec.com/home_homeoffice/index.jsp
        MacAfee:        http://us.mcafee.com/root/package.asp?pkgid=276
        F-Secure:       http://www.f-secure.com/home_user/antivirus.html
        Kaspersky:      http://www.kaspersky.com/kav6




Page 11 of 21                                                   http://www.secureparents.com
SecureParents™                         Ten Steps to Securing Your Family’s Computers

Microsoft Specific Step 9: Firewalls
Bad guys can break into your system by simply connecting to it over the Internet. Your
computer has different programs and services that are that connecting with the Internet
using ports. Ports are like doors and windows in a house, they are means for other
computers to get to your computer and interact with it. In almost all cases, there is no
need for any computer to initiate or connect to your home computer – you should be
initiating all connections. So how should you protect yourself if the bad guys do attempt
to connect to your system over the
Internet? That is what a firewall is for.

 A firewall acts like a virtual
policeman,        stopping      anyone
attempting to initiate a connection or
communication with your computer.
With newer versions of Microsoft
(starting with XP Server Pack 2) the
firewall is enabled by default. In most
cases the firewall that comes with
your computer is good enough. If you
want, you can purchase 3rd party
firewalls that have more advanced
capabilities, such as inspecting and
blocking both inbound and outbound
connection. To access and enable
the firewall that comes with your
computer, or to ensure that yours is
running, open the Windows Firewall
icon from the Control Panel. See
Figure 9 for an example of how to
ensure your firewall is turned on.

Notice      that  the    “Don’t  allow
exceptions” option is selected as well. Figure 9: Interface to turn on your computer firewall.
Unless you have a specific reason to
allow connections to your computer,
we highly recommend you enable this
also. You can learn more about your
firewall from Microsoft at:
http://www.microsoft.com/windowsxp/using/security/internet/sp2_wfintro.mspx




Page 12 of 21                                                  http://www.secureparents.com
SecureParents™                        Ten Steps to Securing Your Family’s Computers

Microsoft Specific Step 10: Use an Alternate Browser
Unless you are using Windows Vista, you may want to use a web browser different from
Internet Explorer. Internet Explorer is the world's most popular browser, with a 78%
market share (as of April 2007, according to Marketshare[1]). This means that if the bad
guys want to make money, their number one target will be Internet Explorer. Therefore,
using a different type of browser, one that uses a different type of engine, can help
protect your systems. If nothing else, you become potentially less attractive as a target.
Also, some security professionals have raised the concern that because Internet
Explorer is so tightly integrated with the operating system, it exposes your computer to
even greater risk. Options for other browsers include Firefox and Opera. We have had
luck with both, but tend to prefer Firefox because it seems to work well with most
websites and has extensive security options. In Figure 10 below we see an example of
Firefox. With the latest release of Windows (Vista), Internet Explorer has potentially
become a more secure option.

       Firefox:        http://www.mozilla.com/en-US/firefox/
       Opera:          http://www.opera.com




    Figure 10: The Microsoft security website viewed with the Firefox Web Browser.




Page 13 of 21                                                 http://www.secureparents.com
SecureParents™                       Ten Steps to Securing Your Family’s Computers

Mac OS X Specific Steps 6-10
These steps are specific to the Mac OS X operating (the Figures are based on version
10.4.9). All of these steps work regardless if your Mac’s processor is PowerPC or Intel
based. You will notice that these steps are very similar to the ones we just covered for
Microsoft Windows operating system. The biggest differences are the lack of anti-virus
and the lack of need for alternative browsers. You do not need anti-virus for Mac OS X
simply because there is so little malware today targeting Mac OS X operating system.
This does not mean that Mac OS X is more secure, it just means that because Mac OS
X has so little market share, most criminals are simply not targeting this operating
system. In addition, the default browser Safari is a good option for Internet use. Once
again, its not because Safari is more secure than the other options, but simply because
so few people are using Safari that few, if any, criminals are targeting it. Unfortunately,
unlike the Microsoft Security website, Apple’s website has little useful information on
securing Mac OS X. If, after reading these steps, you would like to take additional, more
advanced measures to secure your system, we recommend the National Security
Agency’s security guide to Mac OS X which you can find at:
http://www.nsa.gov/snac/os/applemac/I731-006R-2007.pdf

For the following steps on Mac OS X you will need Administrative access to the
programs listed in System Preferences (see Figure 11 for example). This is where you
will access all the different options you need to secure your Mac computer.




        Figure 11: System Preferences for Mac OS X




Page 14 of 21                                               http://www.secureparents.com
SecureParents™                          Ten Steps to Securing Your Family’s Computers

Mac OS X Specific Step 6: Multiple Accounts
For those of you who cannot afford or may not want two computers, do not despair!
Just as we can have trusted and untrusted computers, you can also use trusted and
untrusted user accounts. While not as effective as two separate computers, this can
help reduce risk. The idea is to establish multiple user accounts on the shared
computer. Different accounts are assigned different privileges, ranging from complete to
limited. At any given time, you want to use the account with least privileges that still
allows you to accomplish your tasks. Just as in Microsoft Windows XP, Mac OS X has
two different types of accounts, Administrator and Standard User. Administrator has the
authority for many functions, including installing programs, adding accounts, or making
system-wide changes. This is a very powerful role. The Standard User account has
limited capabilities, for example it cannot create new users or install new programs.

Create new accounts from the
Accounts icon in System
Preferences. We recommend
you create and use Standard
User accounts for your day-to-
day activities. This helps
mitigate risk because if your
system is compromised, the
severity of damage is often
related to the type of user being
attacked. If you are logged in
as a Standard User during an
attack, then the attacker will
have limited privileges as well
and the damage can potentially
be contained. However, if the
attack is ran while you are
logged in as an Administrator,
the outcome of the attack can Figure 12: Creating a new, Standard User that does not have
                                  privileged access. Be sure to click the key symbol to test the
be much more devastating.
                                     strength of the new account’s password.
Use the Administrator account only when you need special permissions. If you are
sharing a computer with your children, create a single account for the Administrator that
only you have access to. Make sure to safeguard Administrator's password. Create
separate Standard User accounts for everyone (including yourself) that you use for day-
to-day activities, such as browsing the Internet, email, or instant messaging. When your
children need to install new programs, you do it for them as Administrator. This method
has limitations. At times, you may be frustrated if you cannot run a simple program
unless you have Administrator access. However, this method whenever possible as it
adds an additional layer of security.

Note: Since Mac OS X is based on the Unix operating system it has another account
option known as root. This is a highly privileged account that is used only with command
line access. Use this account only if you have special administrative needs and you are
trained to use it. This is an extremely powerful account that if used incorrectly can cause
extensive damage.




Page 15 of 21                                                   http://www.secureparents.com
SecureParents™                         Ten Steps to Securing Your Family’s Computers

Mac OS X Specific Step 7: System Updates
Keeping your system regularly updated (often called patching) is critical to risk
mitigation. The bad guys are constantly finding new vulnerabilities or weaknesses in the
programs you use. They do this by finding mistakes in how the software was designed
or developed, then exploiting those flaws. As the security team at Apple learns about
these issues, it develops patches to fix them, protecting your computer against these
threats (good analogy here is recalls for cars). Unlike Microsoft, Apple releases updates
randomly, mainly only when there is a need. Apple does this by storing the new patches
on their web server. Your computer then automatically goes to the website, checks to
see if it needs any new patches, and if so downloads and installs them. By installing
patches on your computers, and keeping them current you help eliminate the many ways
bad guys can break into
your computers.

You      can       configure
Software Updates from
the System Preferences
panel.    We recommend
you setup your home
system to automate the
patching process daily
(see Figure 13). If you
choose, you can run this
process manually, but
automation ensures that it
is done regularly.



                               Figure 13: Setting daily checks for automatic updates




Page 16 of 21                                                  http://www.secureparents.com
SecureParents™                        Ten Steps to Securing Your Family’s Computers

Mac OS X Specific Step 8: Firewall
Bad guys can break into your system by simply connecting to it over the Internet. Your
computer has different programs and services that are that connecting with the Internet
using ports. Ports are like doors and windows in a house, they are means for other
computers to get to your computer and interact with it. In almost all cases, there is no
need for any computer to initiate or connect to your home computer – you should be
initiating all connections. So how should you protect yourself if the bad guys do attempt
to connect to your system over the Internet? That is what a firewall is for.

 A firewall acts like a virtual
policeman, he stops anyone
attempting    to     initiate   a
connection or communicate
with your computer. To access
and enable the firewall that
comes with your computer, use
the Sharing icon from the
System Preferences.           See
Figure 14 for an example of
how to ensure your firewall is
turned on.       Notice in this
example no services are
allowed inbound. If you click
“On” for any service it means
you are allowing it.

In addition, you want to go into
Advanced options and enable
all the features, see Figure 15.
These add additional layers of
security.                           Figure 14: Ensuring our firewall blocks all inbound
                                    connections to the system.




                                    Figure 15: Advanced settings for the Mac OS X firewall.




Page 17 of 21                                                 http://www.secureparents.com
SecureParents™                        Ten Steps to Securing Your Family’s Computers

Mac OS X Specific Step 9: Security Options
Mac OS X has some additional security features you can enable from the Security panel
(see Figure 16 below). We recommend you enable most, if not all, of these. Below we
quickly explain what each one means to you.

FileVault: This option encrypts the entire home directory of the user. If your system is
compromised, this may protect your data from being accessed or stolen. This option is
especially important if you are using a laptop that you travel with. Beware though, if you
forget your password you will lose all of your data as its encrypted (this is why there is
the master password for File Vault which should be set only be the Administrator).

Screen Saver Password: This option requires the user password whenever you want
to wake up a computer or when its in screen saver mode. This protects your system
from other people who may have access to your computer.

Disable Automatic Login: This is
an important option to have
checked. If your system has only
one account, Mac OS X by default
will automatically login to that
account. By checking this block,
you are forcing Mac OS X to make
people authenticate before they
login, even if there is only one
account on the system.

Require Password for System
Preference: This forces people to
authenticate as an Administrator
before making any security system
changes. For example, in Figure
14 in the previous page, you see a
locked symbol in the lower left
hand corner.      That means for
someone to change that option
they have to have authenticate as Figure 16: Enabling additional security options through the
an Administrator. In Figure 16 on security panel. Note that in this example the encryption
                                    feature FileVault has not been enabled.
this page, that is not the case (or
the Authentication has already
happened so the options can be
changed).

Logout After XX Activity: Every user’s account will automatically log out after a certain
time set by you if they are not active. In the example above it is set to 60 minutes.

Use Secure Virtual Memory: If your computer runs out of memory, it may use your
hard drive as temporary (known as virtual) memory. If it does, selecting this option will
ensure that any virtual memory written to your hard drive is encrypted.




Page 18 of 21                                               http://www.secureparents.com
SecureParents™                       Ten Steps to Securing Your Family’s Computers

Mac OS X Specific Step 10: Managed Accounts
Earlier, in step 6, we covered the two different account types that Mac OS X has,
Administrator and Standard User. There is also a third type, called Managed User. This
is a Standard User but his/her activities are controlled by you, the Administrator. This is
option is primarily for parents to put parental controls on their kids' activities. These
parental controls, while relatively basic, not only help protect your children but also
protect the security of your computer from their activities. The primary options are listed
below. Keep in mind that Mac OS X can enforce policies only on these native
applications. If you or your children download a different browser (such as Firefox) or a
different instant messaging program (such as Skype), Mac OS X cannot secure that
application.

Mail: This will allow you to
control with whom your child
can exchange emails with, as
long as they use the default
Mail.app software.

Finder:         This    extremely
powerful option will allow you to
limit what applications, services,
or functionality your children
can access through the Finder
application. This option does
more to protect your computer
from your children then it does
protect your computer from the
bad guys. If you are tired of
constantly having to reset your
children’s dock station or
turning off random programs
they started, this is the option
for you. For example, you may Figure 17: Enabling parental controls for children’s accounts.
want to limit your children to be When enabling controls, the account is changed from a
able to start only the games that Standard User to a Managed User.
you allow, and no other
programs.

iChat: Here you can set the accounts of people your child can instant message with.
This will prevent them from exchanging messages with unknown individuals.

Safari: Allows you to explicitly identify the websites that your child can go to using the
Safari web browser that comes default with Mac OS X.




Page 19 of 21                                               http://www.secureparents.com
SecureParents™                      Ten Steps to Securing Your Family’s Computers

Common Mistakes
Below are some of the common mistakes we see people making trying to secure their
computers. These are steps you do not want to take:

   1. “I turn off our computer at night so no one can attack it.” Turning off your
      computer at night or when you are not using it has little security benefit. The bad
      guys are very aggressive, they are constantly attacking and probing computers
      around the world. Whether you are on-line for 10 minutes or all week, you will be
      exposed to the same risks.

   2. “Since I’m using DHCP (Dynamic Host Control Protocol), my IP address is
      constantly changing and the bad guys can’t find me.” The bad guys don’t
      care who you are or what your IP address is. They simple probe, scan and
      attack the entire Internet. Also, many attacks today are email based or when are
      launched you visit websites, so your IP address does not matter.

   3. “I’m just a simple home computer user, who would want to attack me?”
      Just about every cyber criminal in the world. The number of ways a criminal can
      make money by breaking into your computer alone is amazing. Multiply that by
      the millions of other home computers on the Internet today and you get the
      picture. For criminals, the greatest return on investment comes from going after
      millions of parents and home users just like yourself.

   4. “I trust the folks that run the computer at my local library or cyber café, so
      I’ll use the computers there.”       For confidential transactions, use only
      computers that you both control and trust. Yes, the people that manage the
      computers at your local library or cyber café are most likely hard-working,
      trustworthy people. But the problem is that you do not know who used the
      computer there before you. That person could have easily installed malicious
      software on the system, or could have just been a victim to a hack that infected
      the computer. Never use public resources for your confidential transactions.

Summary
Making you and your family secure is about reducing risk. These ten steps act as a
starting point to help protect your home computers against constantly adapting threats
on the Internet today. While we can never eliminate risk, we can reduce it to the point
where, just like driving, the Internet becomes an option we can choose.




Page 20 of 21                                             http://www.secureparents.com
SecureParents™                           Ten Steps to Securing Your Family’s Computers

Websites
In this paper we mentioned several websites to help protect your computers. Here you
can find them listed.

i-SAFE Video            http://ftc.isafe.org/imgs/phishing.swf
Browser Security        http://www.us-cert.gov/reading_room/securing_browser/
Scams / Scams           http://onguardonline.gov/spam.html
Password Checker        http://www.microsoft.com/protect/yourself/password/checker.mspx
Microsoft Security      http://www.microsoft.com/protect/default.mspx
Anti-Virus
        Symantec        http://www.symantec.com/home_homeoffice/index.jsp
        MacAfee         http://us.mcafee.com/root/package.asp?pkgid=276
        F-Secure        http://www.f-secure.com/home_user/antivirus.html
        Kaspersky       http://www.kaspersky.com/kav6
Browsers
        Firefox         http://www.mozilla.com/en-US/firefox/
        Opera           http://www.opera.com
Mac OS X Security       http://www.nsa.gov/snac/os/applemac/I731-006R-2007.pdf
ParentPapers            http://www.secureparents.com/papers.shtml


About Us
Concerned about protecting your online finances and your credit rating? Wondering who
is collecting information on your children? Confused on how to best secure your
computers at home? SecureParents is designed for you - the busy, working parent. It's
your one stop for all the steps you need to take to secure yourself and your family in
today's rapidly changing information age. The website is free, supported by and for
parents. If you have any comments or suggestions about this paper or our website, we
would love to hear from you! Please send all feedback to info@secureparents.com.

References
[1] http://marketshare.hitslink.com/report.aspx?qprid=0&qpmr=15&qpdt=1&qpct=3&qptimeframe=Y




Page 21 of 21                                                    http://www.secureparents.com

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:4
posted:9/29/2011
language:English
pages:21