Solutions and Suggestions for Information Security
We believe that data security, data privacy and information security require a combination of hardware, firmware, software and user involvement as well as certain security and privacy protocols and policies. Certain elements are beyond the control of the user, so we will only point them out here, but instead focus on tools and software choices a user can make, and then point users to more advanced policies and protocols he or she can use.
Hardware and Firmware (Device) Recommendations
At this point in time, we cannot make any recommendations as we are tracking some interesting developments that will certainly enhance processor and boot security, but those products have not hit the market yet. What we can say is that like with software, open-source hardware and processors based on open-source instruction sets offer insights and review possibilities into the processor itself. As a result, we are not making recommendations at this point in time which router, wireless access point, PC, laptop, desktop or tablet or phone is the most secure. We will come to that in due time.
What we can say and make recommendations about are how you can protect yourself and your network to the best of your abilities without making this a chore. You should use a firewall, and at this point in time, even the worst firewall inside a router or wireless access point is better than nothing.
If you have a network that involves more than three devices, please check if your wireless access point (or wireless router) supports filtering functions. If so, please enable them and learn what the rules mean. If your network is larger than that, we strongly suggest using a PC that is otherwise obsolete as a firewall. Most PCs came with two network interface cards, and if so, they can be used as a firewall. We suggest looking into pfSense or opnSense. Once they are set up, you can configure them to your needs. These firewalls not only filter traffic and protect your network, they can also be used as what is called a proxy, i.e. an interim storage device for downloads including operating system updates and help reduce your inbound and outbound traffic. Download and configuration help is available at SNORT for the Open Source Intrusion Prevention System (IPS) called SNORT and at SquidGuard for SquidGuard itself, which is a URL redirector used to use blocklists with the proxy software SQUID.
If you are a private user and you are in control of your devices, then we suggest you try out some open source tools. The reasons for this recommendation are manifold. First, open-source means that anyone interested can verify the code and make sure that no backdoors are included which would make it easy for an attacker to steal passwords and important credentials. Usually, open-source tools also do not contain “phone home” features that many commercial solutions use to ascertain usage and deployment statistics. We also suggest abstaining from using cloud-based tools as privacy cannot be guaranteed, and tool use is directly tied to Internet access. In times of Internet outages, there is also no access to cloud-based tools. On top of that, it is questionable if the link between you – the user – and the cloud service provider is encrypted, and of course, that means that a man-in-the-middle attack cannot be ruled out.
There is a good number of open source products available for laptop and desktop use, as alternatives to established products from commercial vendors.
- Ubuntu Linux is an easy-to-use, robust and well-supported Operating System. In many cases it can replace MS Windows without an impact on user-friendliness and ease of use. It is vastly more secure than any version of Windows.
- Firefox is a multi-platform browser that focuses on security and can compete with Edge, Chrome and Safari in all aspects. Its built-in password manager beats the competition. It supports a special mode for Facebook and an incognito mode in case a very high degree of anonymity is needed.
- Thunderbird is a multi-platform email client that in terms of security can compete with Outlook. While it lacks features compared to Outlook and is only a 32-bit application, it is capable of integrating PGP/GPG for advanced users for encryption based on PKI.
- LibreOffice is a multi-platform free replacement for MS Office with all of the features that an average user will need. It reads, stores and understands documents created in Word, but it is also capable of using standards-based formats, and it directly exports to PDF if the need arises. Because it is a multi-platform application, a heterogeneous work environment does not affect its use across platforms. In other words, if you use a Mac and a PC with Linux or Windows, the file formats and User Interfaces are all the same.
- VeraCrypt is a free open-source disk encryption software for Windows, Mac OSX and Linux. It is secure, multi-platform (i.e. you can exchange data across platforms), and it protects your data.
- GIMP is probably the most widely used image manipulation software. It is ahead of commercial offerings in security and features. It does not require a license, it runs locally on your computer, and it does not have to revert to the cloud for any computationally intensive tasks.
- Inkscape is a vector graphics editing program that can be used to create and edit any kind of vector-based images such as logos, icons, drawings that need scalability in size, and even technical drafts. It is not a CAD program, but it can be used to import and modify CAD drawings into documentation.
- Filezilla is open-source software to retrofit FTP to operating systems that do not natively support FTP. It supports FTP, SFTP and FTP over TLS.
User settings and policies in private environments
Many private users do not make use of user accounts on their computers and within their applications. That is the first thing that has to be addressed. If you have a computer, and all users use the same account, it is impossible to achieve any kind of security since all users have access to all accounts settings and contents. In fact, even user profiles for applications are going to be shared. In other words, set up accounts for all users of the computer, and make sure that no passwords across these accounts are shared. If possible, create only one admin account and use that only for administrative purposes, and for normal work, use your standard user account. Do not let users use the admin account, under any circumstance. Do not allow accounts to have any passwords (or a trivial one). If you know that you are not going to use the admin account often, write the account name and password down on paper, put it into an envelope, seal it and store that envelope in a secure location.
- Enable the use of user accounts on your computer.
- Assign a user account to each user.
- Assign one admin account to whoever administers the computer (ideally you…).
- For normal use, log in with your user account, not the admin account.
- If an application supports the use of user accounts, use them and log in each time.
- Encourage the use of strong passwords.
- Use an Operating-System wide password manager if needed.
- Browsers are the portal to the web, so at least use a secure browser and the browsers’ password manager for all websites that need a username/password combination.
- Do not share passwords or use the same password across sites.
- Choose your DNS provider and your search engine wisely. Your use of DNS and search will create a near 100% accurate profile of who you are.
- If you can, please use a firewall configured as described above.
- Ideally choose a firewall that uses SNORT and SQUIDGUARD and sign up to both databases’ update services.
- If that is not an option, at least use the filter settings in your wireless access point aka a wireless router.
- In either one of them, please configure DNS settings and filter rules wisely. In general, that means using a DNS provider that is NOT your ISP and NOT Google. Use openDNS as first and if you can’t avoid it, use Google as a second DNS resolver.
- Google provides excellent search results. Google also tracks your searches. If you want to avoid being profiled, use a metasearch engine such as DuckDuckGo (see below).
User settings and policies in corporate environments
If you are a corporate user, the IT admin likely has done everything we have pointed out above for you. You just need to follow the policies and guidelines as set forth by your IT admin. If you feel that your IT does not focus on IT security, send them the following list of backend applications that they might want to have a look at. With these applications, there is no performance trade-off versus commercial applications. However, most IT departments don’t particularly like it when users send them recommendations, so do this only if you feel that they trust your judgment.
We are aware of the fact that most website analytics is carried out using Google. That makes sense, and it puts your search results higher than if Google analytics is not used, but it also means that you accept that Google knows more about your web traffic than you do. If you want to avoid that, PIWIK is probably your only alternative.
We are working on a script that would allow any user to change the default search engine to a non-tracking metasearch engine, in this case, DuckDuckGo. Other projects are in the pipeline, so please keep following us, and if you have additional ideas, please let us know.