Hi Guys

I was reading an article by Keatron Evans called "Information security at home" (http://resources.infosecinstitute.com/information-security-at-home/) and decided to create my own list by by adding a few more pointers and wanted to know what suggestions you guys may have in expanding it further?

Standard Best Practices

1. If wireless in use, ensure WPA or WPA2 with AES encryption with a passphrase of more than 20 characters in length
2. Turn off DHCP and statically assign an address to each machine
3. Enable MAC Address Filtering on Router/Access Point and only allow devices MAC Addresses
4. Keep Access Point away from Windows and Doors
5. Keep upto date with latest security patches (OS and all other applications running)
6. Ensure Anti-virus software and Anti-malware software is installed and up to date
7. If possible browse directly to websites that you wish to shop or logon to by entering the URI into the address bar.  Do not click on links sent via email or from within forums etc but if you have to, verify the links!
8. Don’t use REAL credit cards, and certainly not your bank card to shop online. Use a prepaid Visa/Mastercard/American Express to do all your online shopping
9. When using Myspace, Twitter, Facebook. Don’t accept friends you don’t know. Don’t EVER click on links that people post in their status updates. These could easily be links to malicious sites or data.
10. Use an account with the least amount of privileges required.  There is no need to browse the internet using an account with Admin rights!
11. Ensure that websites which use a secure communications channel (HTTPS) have a valid certificate.  If the browser complains that the certificate is untrusted, DO NOT ignore it and go ahead, verfiy the certificate.
12. Ensure Firewall on Router and PCs are switched on
13. Keep Router Firmware upto date

Advanced Best Practices

For those that are more paranoid or want to be even more secure:

1. Use a browser that supports the "No-Script" add-on. Being honest it can be a bit of a pain to configure correctly but if you choose to use it do not browse the internet and "trust everything"
2. Use 2 separate Virtual Machines.  Ensure all the above steps on each VM machine where applicable and use one strictly for sensitive applications such as banking etc and the other for general browsing of the internet.

Security Away from Home

Ok, strictly speaking this may not come under home security but just had to mention the following:

1.  DO NOT browse to any websites that require a logon to access sensitive information whilst connected to any public networks (in coffee shops, trains, internet cafe's etc) whether the connection is wireless or not unless connected to a corporate network via a VPN.
2. Bear in mind that a lot of websites will often encrypt the login functionality, but once logged into the website will not use a secure cookie. Therefore the users cookie and session can be sniffed as it will all be in clear.

Please feel free to add

These three points cannot even stop script kiddies!!!

They could give a false sense of security...

actually, I think that number 2 is meant so if the person connects to the network they won't get an address.

How ever the same steps used to get past 3, can be used to get past 2.

* edited: self-edit to take out actual steps. (chrisj)

monitor network, get useful information, continue un-stopped.

I guess it is a "best practice", but we are covered by our CC companies and banks who can quickly investigate (not always) and reimburse us etc.. I've personally never had a problem and shopped online for years and years.

8. Don’t use REAL credit cards, and certainly not your bank card to shop online. Use a prepaid Visa/Mastercard/American Express to do all your online shopping

I just want to point out that cloaking your SSID may actually foster insecurity, or at the very least create privacy concerns.

What do I mean? Surely hiding the SSID is security by obscurity at the very least which is poor security alone but good to provide an additional layer nonetheless, right?

I understand the sentiment but disagree and here's why.

Reason 1 - Consider Karma, you know that fun tool that answers to wireless probe requests for network X and says "Oh! Oh! that's me! that's me! here I am, connect to me!" Congrats, you've just opened yourself to an AP impersonation attack

Reason 2 - It doesn't actually provide any real security and creates complacence due to a false sense of security. Sure you've hidden it from random passersby and Netstumbler users but who are the real threats? if you are cloaking your SSID you are also probably using decent encryption and changed default passwords, and maybe even robust authentication depending on your geekitude. The threats that concern me are the skilled, dedicated attackers with a malicious objective. not the guy trying to leech free wifi. That skilled attacker is not going to stumble his way through my neighborhood, he's going to use Kismet or something similar and sniff the connection strings right out of the air and he's going to have my SSID either way.

Reason 3 - When you hard code the SSID in your config you are advertising your network SSID to anyone sniffing these connections as you walk the preferred network list probing for that hardcoded network. Ever hear of wigle.net? It's fun stuff. You can search for the GPS coordinates and mapping data for a given SSID or for networks within a certain geographical area.

For instance, I spend a lot of time in airports. Let's say I was to sniff the SSID of travelling public and find say "John Chapman's Network" I look it up on wigle.net and find out where John lives. He's not home. Sweet! Maybe I will look him up on Facebook and find out if he has a wife and kids or if there is details about travel plans or pictures of their big screen tv. Awesome! Let's drive to his house and rob him blind. Obviously I would never do that as I'm an ethical professional but you get the point. What if the SSID was for "Pornhouse Internet Cafe" or "Chicken ranch"? I'm sure the mythical private investigator following me on behalf of my wife would love to report those as well!

Cloaking is bad. Friends don't let friends cloak wireless.

Isn't everyone with a preshared key vulnerable to that, anyway, if there are clients probing to connect to saved networks?

If an advanced user can get your SSID either way, than you are only protecting yourself from basic users, but not making yourself more susceptible to advanced attaackers.

If you don't put your name in your SSID, would that even be an issue? Again, that could happen even if you don't hide your SSID.

Don't get me wrong, I don't recommend hiding your SSID as a kind of defense against attackers, but does it really make you less secure than if it is broadcasting?