Introduction
This paper outlines the web security required for a brand new Windows PC for home use with Windows 10 operating system. The PC connects to the internet using existing internet connection. It will also detail the essential security software that is needed for the keeping the computer secure, the password policy for the home computer, the steps that one has to take to ensure that the online banking process is secure. It will also outline the guidelines that one has to discuss with a 13-year old son regarding operating a Facebook account.
Securing the home Windows PC
Home computing carries the risk of theft of personal, financial, and other sensitive information. It is very important to adopt defensive computing through multi-layered protection for one’s home computer.
Basic Settings
As soon as the brand new PC arrives, it has to be set up for first use.
Before the PC is set up, it should be ensured that the PC is physically secured. Otherwise, people can come and install Keyloggers or insert unapproved devices into the USB ports. It is recommended that a secure flash drive such as Lok-It is used, which will allow access only after a PIN is entered.
The next step is to set up users. An administrator account is automatically created by Windows 10 by default. When you attempt to an account, by default a standard user is created by default. A standard user has can be a local or Microsoft account and has restricted access to many functions. It is, however, good for everyday usage. This user will be able to access most apps and change system settings that do not affect other users. When required, a User Account Control (UAC) prompt is issued by the operating system and the user can enter the administrator credentials for approval. By logging in as a standard user, the risk of malware elevating its privileges to the administrator is minimized. Hence, it is recommended that a standard user account is created for everyday use and the administrator account be used only for performing activities that require elevated user access.
It is recommended that Windows Update is set to install updates automatically, which is the default, as this will ensure that patches and updates to the operating system and any Microsoft office products are automatically installed. Similarly, all software should be set to receive updates automatically so that the latest patches are automatically and the PC is free of any zero-day vulnerabilities.
It is recommended to set the UAC to the highest level, that is “Always Notify”.
If there is a CD/DVD/Blu-ray drive, it is recommended to turn off autoplay. Enabling autoplay can allow malware to automatically run and infect the PC.
It is recommended that the network type is set as public as it is the very strict and it will hide the computer from the network and disable file and print sharing thereby removing some avenues for malware infection.
It is recommended that remote assistance and remote desktop are disabled. This will ensure that other people cannot control the PC remotely.
It is recommended to make CTRL+ALT+DEL mandatory for login. This will ensure that fake login screens do not work.
The “Show hidden files, folder, drives” and “Show file extension” options should be enabled so that it will unmask any hidden files as well any executable files that try to masquerade as harmless picture files (Safegadget, How to: Windows internet security and Windows security made easy, 2016).
Password Policy
For a password, it is recommended that obvious base-words such as the birthdays, names of family members, and similar words that can be easily cracked, are not used. The longer the password, the more difficult it is to crack. Using nonsense words is a better strategy, but enough care should be taken that they are difficult for others to guess but easy for you to remember. Using mnemonics will help solve this problem. So, taking a memorable quote and picking the first letters from it to make a password would make it difficult for others to guess and easy for you to remember. Replacing some of those letters with digits, symbols or letters with different cases can make it very difficult for others to crack. A complex password will have to use characters from at least three of the four categories that are given below:
Lower case letters: a, b, c, .x, y, z
Uppercase letters: A, B, C, .X, Y, Z
Numbers: 0, 1, 2, , 8, 9
Special Characters: ~ ! @ # $ % ^ & * _ - + = ` | \ ( ) { } [ ] : ; " ' < > , . ? /
A password that could be derived from the phrase “I Like Terry Good Kind Novels Very Much” ILTGKNVM. It can be changed to I1tGKnvm@. This will be difficult for others to guess. It is also recommended that one has different sets of passwords. One is an easily remembered password that you use for logging on to the news, sports, or recipe sites. Losing these passwords is not very harmful. For social networking sites and other sites that have personally identifiable information, but are not of financial nature, a different set of passwords should be used that is of medium complexity. For banking and other financial sites, the most complex password should be used. If possible, using a password vault such as LastPass or Roboform can enable one to use complex and different passwords for each and every site as the need for remembering them is obviated. One just has to remember the password for the vault.
Essential Software for the PC
It is essential for a PC to have Antivirus software such as Symantec Norton Security, Bitdefender Internet Security 2015 or Kaspersky Total Security 2015, which are the top three antivirus software. An antivirus program detects and removes malicious programs such as viruses from one’s computer and prevents them from infecting one’s PC. The antivirus software updates itself automatically. While they check for known viruses based on the database of signatures that is updated regularly, they also check for unknown viruses heuristically. While viruses are one type of malware, there are other types of malware such as adware, spyware, worms, and Trojans. A malware removal tool ensures that adware and spyware are removed. An antimalware tool complements an antivirus tool. Malwarebytes and Spybot Search & Destroy are two antimalware software that is needed for the computer for protection. Any one of them or both of them can be installed. The free versions may not update themselves automatically so they have to be regularly updated to ensure that their database of malware signatures are current. Some of them provide real-time protection so that it will prevent malware from getting installed in the first place. Anti-exploit software such as Malwarebytes Anti-Exploit, Microsoft EMET (Exploitation Mitigation Software) can be installed. Backup software for regularly backing up either full disk (imaging) or incremental backups. It is also recommended that, if the wireless connection is used for internet connectivity, the default SSID for the wireless router be changed to something that does not identify that it is yours easily and also to use WPA2/AES encryption so that the traffic is safe.
Firewall settings
Most antivirus comes bundled with firewall software or the default windows firewall can be used instead. A firewall creates a barrier between the internet and the PC (Figure 1).
Figure 1: A firewall creates a barrier between the Internet and the PC
Source:
The default settings for Windows firewall are
The firewall is on for all network connections
The firewall is blocking all inbound connections except those that you specifically allow
The firewall is on for all network types (Private, Public or Domain).
It is recommended that the firewall is turned on and these default settings should be used. With this option, most applications are blocked from receiving inbound traffic. One can set up such that Windows notifies us about blocking traffic to a particular app so that, if needed, an exception can be added.
Recommended Browser settings
Internet Explorer 11 (IE11) and Edge browsers come bundled with Windows 10. Due to security issues, it is not recommended to use IE11. There are some usability issues with Edge as it does not support extensions. So, it is recommended that Chrome browser be downloaded and installed and made the default browser. Chrome has the following security related features: 1) Safe browsing, 2) Sandboxing, 3) Auto updates, 4) Built-in PDF viewer, and 5) Built-in Adobe flash – Kept up to date by Chrome.
It is recommended that the built-in PDF viewer is disabled
It is recommended that Java is removed as it is a huge target for malware. If there are applications that need java, then it cannot be removed so it should be disabled from chrome by going into Java Control Panel
Silverlight is disabled by default and it is recommended that it be completely removed.
It is recommended to prevent chrome from saving passwords
It is recommended to allow chrome to update itself.
It is recommended to heed chrome’s secure website warnings. Following are the warnings:
The site uses SSL, but Google Chrome has detected insecure content on the page. (One should be careful while entering information in the website)
The site uses SSL, but Google Chrome has detected either high-risk insecure content on the page or problems with the site’s certificate. (Sensitive information should not be entered into the website)
It is recommended to sandbox chrome’s plugins. This will run the chrome plugins in a sandbox so that only those files and folders that are marked as accessible for all, can be accessed by those plugins. This reduces the chance of a rogue plugin affecting the entire PC.
It is recommended to chrome be prevented from using the GPU (Graphical Processing Unit). There are various bugs related to using GPU. Allowing Chrome, the hardware level access may cause trouble.
It is recommended to enable server certificate revocation checking. Most browsers do not check for server certificate revocation. If this is not done, then servers possessing stolen certificates may appear to be fine.
It is recommended to check for compromised digital certificates.
Safety for Online Banking
The following should be kept in mind if one’s online banking transactions have to be safe. Web addresses that begin with https:// (Figure 2) show that the site uses encryption to transmit data to and from the website. So any cyber criminals trying to intercept the data will not be able to use it.
Figure 2: Https in the web address
Source:
The browser for a secure site will show a padlock symbol. This shows that the browser had verified the site for security.
Figure 3: Padlock symbol for website security
Source:
A Secure Sockets Layer (SSL) certificate ensures that the website is indeed what is claims to be and it enables encryption. If a website does not have an SSL certificate, the address starts with http://, if it has an SSL certificate, it starts with https://. To find the SSL certificate, the padlock symbol in the browser (Figure 3) should be double clicked. It will show the SSL certificate (Figure 4).
Figure 4: Wells Fargo SSL Certificate
Source: Wells Fargo website
Safety, Privacy, and Security for Son’s Facebook
There are a few security issues with children accessing Facebook. Facebook profiles should be secured with the proper privacy settings so that not everybody can see their profile. The profiles should not have their pictures of them in school uniform as that will let anybody viewing these photos know where they study and from that work out where they live in real life. The profiles should not have content or messages that are inappropriate. Even if the child’s profile does not contain these type of messages or content, some of his friends might have such content and can be seen by the child. Facebook uses age targeted advertising, which exposes the child to inappropriate images if they had stated their age incorrectly at the time of registering. Since anybody can lie about their age, children should be wary about whose friend requests they are accepting, otherwise, children may accept friend requests from people they do not know in real life, which could be dangerous. Content posted on Facebook is not moderated so children may be exposed to inappropriate content. Facebook can be exploited by bullies for cyberbullying, which is a leading cause for attempted and completed suicides.
As a parent, I would talk the child and explain about all the above issues to him. I will check to see that my kid’s profile is set to private and only his friends can see it. I will monitor my child’s Facebook use and ensure that he is not posting any inappropriate content or sharing any personal information. I will install child safety software such as Safetyweb or McGruff Software to monitor the child’s privacy and safety, which track all online activities of the child including both sides of an internet messenger chat. If suspicious behavior is found, it can be reported to National Centre for Missing and Exploited Children (NCMEC). I will set up my own profile and ask my son to friend me so that I will know what he is posting. It is important for the child to be aware of the following E-Safety rules. He should;
Always keep the profile as private as possible
If possible, not use the full name. Instead of John Doe, John D should be used
Never accept requests from people he does not know in real life
Never post anything that reveals his identity
Never post anything that he would not want his parents to know
Never agree to meet anybody who he has met only online without telling a trusted adult
Always tell someone if someone threatens or upsets him.
Conclusion
References
Abhishek, B. (2016, March 1). Best malware removal 2016. Retrieved from Techarena: http://techarena.org/best-malware-removal-2016
Anurag, S., Shalabh, A., Abir, G., & Asoke, N. (2015). Impacts of social networks: a comprehensive study on positive and negative effects on different age groups in a society. International Journal of Advance Research in Computer Science and Management Studies, 3(5), 177-190.
Brink. (2015, June 9). Account type - change in Windows 10. Retrieved from tenforums.com: http://www.tenforums.com/tutorials/6917-account-type-change-windows-10-a.html
CEOP. (2016, April 4). CEOP Command. Retrieved from CEOP.police.uk: http://www.ceop.police.uk/
Flavio, M. (2014, July 15). Creating strong password policy best practices. Retrieved from blog.digicert.com: https://blog.digicert.com/creating-password-policy-best-practices/
GCFLearnfree.org. (2016, April 4). Internet safety protecting your financial transactions. Retrieved from gcflearfree.org: http://www.gcflearnfree.org/internetsafety/6/print
Martin, B. (2015, July 26). Essential software for windows 10. Retrieved from ghacks.net: http://www.ghacks.net/2015/07/26/essential-software-for-windows-10/
Matt, E. (2016, January 19). 15 best antivirus & best free antivirus for PC and laptop UK. Retrieved from PC Advisor: http://www.pcadvisor.co.uk/test-centre/security/best-antivirus-for-pc-laptop-2016-uk-free-summary-3263332/
Microsoft. (2016, April 4). Windows Firewall from start to finish. Retrieved from windows.microsoft.com: http://windows.microsoft.com/en-IN/windows-8/windows-firewall-from-start-to-finish
Safegadget. (2016, March 10). How to: Windows internet security and Windows security made easy. Retrieved from safegadget.com: https://www.safegadget.com/16/how-to-internet-security-and-windows-security-made-easy/
Safegadget. (2016a, March 10). Secure Google Chrome browsing. Retrieved from safegadget.com: https://www.safegadget.com/45/secure-google-chrome-browsing/
