sourceninja
Diamond Member
- Mar 8, 2005
- 8,805
- 65
- 91
For my home a few layers of defense.
1) A DNS service that blocks known malware URLs (openDNS, quad9, etc)
2) Use a good adblock that supports malware lists
3) Use no-script tools for risky clicks (I white list scripts on websites I trust)
4) Privacy Badger
5) A Pi-Hole - adds even more control over malware blocking at the DNS level.
6) Use strong passwords (duh) and MFA everywhere. I use hardware keys everywhere possible. I even use MFA on home logins.
6a) Centralized account management. I used to use AD, currently using JumpCloud.
7) A anti-malware scanner to protect against known threats
8) Everything is kept up to date
9) A ephemeral virtual machine for super risky clicks
10) On windows I prevent the running of applications in the user profile
10a) I also run as limited user with a separate admin account for installing software
10b) I've also enabled controlled folder access
10c) On macs I also do not run as admin, nor do I run as a user with sudo access on my linux systems. I will SU to a user who has sudo privileges. (There are sourceninja users and sourceninja-a users only a users can perform admin tasks)
11) All logs are sent to a logging system that looks for interesting things and sends me alerts (on my servers anyways)
12) All systems have data backups and sanity checks for known malicious file extensions (quick detection of ransomware). Triggers are in place to remove that system's access to the network if those extensions are discovered, limiting exposure.
13) No inbound ports are open to my home network, UPnP is disabled. Router management is disabled from the WAN.
14) Change control management - all systems have their software inventoried on a regular basis, drift is detected and investigated
14a) In most cases, all system configuration is done with tools such as ansible, tests are ran with test kitchen to ensure systems are standardized and compliant.
15) All critical data is kept in encrypted containers that are only mounted/accessed when required. This limits exposure.
16) A stateful firewall with IDS features at the head of the network (this is currently not in my setup because the UTM died, but I will have one again). I was using a meraki firewall and later a pfsense w/ snort.
16a) Limit origin outbound network traffic. I can send unsolicited traffic out port 80 and 443 from all workstations. Anything else requires a manual exception. The pi-hole also is allowed port 53.
17) Canary keys. I have many fake things hidden around the network. Fake AWS access keys, fake files on my computer, fake bitcoin wallets, etc. If any of those are touched, I get an alert.
I got a little off topic and I'm sure there are more things, but that's my basic list.
1) A DNS service that blocks known malware URLs (openDNS, quad9, etc)
2) Use a good adblock that supports malware lists
3) Use no-script tools for risky clicks (I white list scripts on websites I trust)
4) Privacy Badger
5) A Pi-Hole - adds even more control over malware blocking at the DNS level.
6) Use strong passwords (duh) and MFA everywhere. I use hardware keys everywhere possible. I even use MFA on home logins.
6a) Centralized account management. I used to use AD, currently using JumpCloud.
7) A anti-malware scanner to protect against known threats
8) Everything is kept up to date
9) A ephemeral virtual machine for super risky clicks
10) On windows I prevent the running of applications in the user profile
10a) I also run as limited user with a separate admin account for installing software
10b) I've also enabled controlled folder access
10c) On macs I also do not run as admin, nor do I run as a user with sudo access on my linux systems. I will SU to a user who has sudo privileges. (There are sourceninja users and sourceninja-a users only a users can perform admin tasks)
11) All logs are sent to a logging system that looks for interesting things and sends me alerts (on my servers anyways)
12) All systems have data backups and sanity checks for known malicious file extensions (quick detection of ransomware). Triggers are in place to remove that system's access to the network if those extensions are discovered, limiting exposure.
13) No inbound ports are open to my home network, UPnP is disabled. Router management is disabled from the WAN.
14) Change control management - all systems have their software inventoried on a regular basis, drift is detected and investigated
14a) In most cases, all system configuration is done with tools such as ansible, tests are ran with test kitchen to ensure systems are standardized and compliant.
15) All critical data is kept in encrypted containers that are only mounted/accessed when required. This limits exposure.
16) A stateful firewall with IDS features at the head of the network (this is currently not in my setup because the UTM died, but I will have one again). I was using a meraki firewall and later a pfsense w/ snort.
16a) Limit origin outbound network traffic. I can send unsolicited traffic out port 80 and 443 from all workstations. Anything else requires a manual exception. The pi-hole also is allowed port 53.
17) Canary keys. I have many fake things hidden around the network. Fake AWS access keys, fake files on my computer, fake bitcoin wallets, etc. If any of those are touched, I get an alert.
I got a little off topic and I'm sure there are more things, but that's my basic list.