Encryption

Laws are beginning to change around what Internet Service Providers can do with the data they collect on the browsing habits of their customers. This has raised concerns with some customers regarding their privacy. People are now looking for ways to keep their browsing habits private and away from their Internet Service Providers. While there is a lot of information on the Internet already on exactly how to achieve the results desired, not all of it is equal. We would like to take the time to clear things up and raise awareness for what is now becoming a concern for many.

Disclaimer: There is no such thing as “perfect security.” None of these methods provide a perfect way by which to protect your browsing habits from being seen by everyone. The main purpose of the article is to merely make it harder for your Internet Service Provider to track your browsing habits, so they cannot use it for monetary gain.

Secure Sockets Layer (Native, Free)

Secure Sockets Layer, commonly referred to as “SSL,” is a method by which two computers can communicate with one another in a private, authenticated manner. Most people encounter SSL when they browse the web with their favorite web browser. It is the underlying technology that allows us to login, bank, shop, and do so much more, all securely. It also does not allow for any eavesdropping of the communications between the two computers involved. At this point in time, this means even your own Internet Service Provider (or anyone else in-between) cannot peer into the information that is being sent back and forth–it is encrypted.

Even though this is a great solution that works natively and automatically, it does not stop some browsing data from “leaking.” The leaked data to which we refer is the initial request for the website. An Internet Service Provider and everyone else can see this initial request for the website. After the initial request is sent, all other browsing data transferred is protected once the SSL connection is established. A SSL connection can also be verified in most browsers by looking at or near the address bar and finding a padlock symbol or the word “Secure,” in the case of Google Chrome, at the time of this writing. One may also look for the term “https” in the URL of a webpage.

Since SSL also provides authentication, many websites are moving in that direction already, so it is a very seamless process for those browsing. There are also popular browser plugins like “HTTPS Everywhere” that attempt to always establish a SSL connection to a website when possible.

Virtual Private Networks (Paid)

One way to combat the initial data leak issue of SSL is to attempt to anonymize browsing habits. A good way to do so is to use a Virtual Private Network, or VPN. There are many different uses for VPNs, but for the purpose of anonymizing browsing habits we will involve a VPN provider. There are many reputable VPN providers, so our intention is not to provide a list. Instead, feel free to contact us if you have concerns about reputable VPN providers.

This technology allows a subscriber to form a secure, virtual private tunnel to the servers of a VPN provider in order to encapsulate all of the data being sent between the subscriber and the VPN provider. This includes the initial request for a webpage that using SSL alone does not protect.

The anonymization of the data comes from how browsing data goes out onto the Internet after it reaches the VPN provider. It goes out along with the data of everyone else, from the same point of origin. Finding the browsing data of one specific person once it emerges onto the Internet from a VPN provider has been likened to trying to find one specific snowflake during a blizzard in the middle of winter. While it is not impossible, it is highly improbable.

Tor Onion Network (Free)

A free alternative to using a paid VPN provider is to utilize the Tor Network. We understand there are a lot of negative connotations associated with the Tor Network and a lot of people avoid it for this reason, but it has legitimate uses. The Tor Network allows one to anonymize their browsing habits in much the same way as that of a VPN provider. The way it differs is that it encapsulates all of the transmitted data in the same way Russian Nesting Dolls encapsulate smaller dolls within ever larger ones. In this analogy the browsing data is the innermost doll and as the data is passed along the network each “node” removes one encapsulating doll until the browsing data emerges at the end of its path, at the “exit node,” and is sent to the intended website.

Much like the VPN provider, an “exit node” in the Tor Network does have access to all of the browsing data in an unencrypted form as it exits the Tor Network and emerges onto the Internet, but the best way to deal with this is to also use SSL.

Security in Layers

The best solution at the time of this writing is to use a combination of SSL and either a VPN provider or the Tor Network. In this way, the initial request for a website is anonymized and all of the data transmitted between the website and the computer used for browsing is encrypted and authenticated, end-to-end. While this is not a perfect solution, it does serve its ultimate purpose of stopping Internet Service Providers from seeing what requests and data is being transferred across their network, when privacy is the main concern.

This blog post also appeared on the InfoTECH Solutions’ Blog.

Endpoint security is often not given a lot of thought or planning within an organization, but it can be incredibly important. For most security-minded people, endpoint security is usually associated with technical controls. These controls are often not perfect, but are a good first line of defense to help build a more secure network. If you, as a Network or Systems Administrator can put these controls in place, it will make your life much easier over time, because a lot of breaches begin with downloaded malware that is installed by the end user, with or without their consent. Here are 10 technical controls you can implement on your network to help mitigate that risk.

Standard User Account

This control can be implemented in almost every operating system or light-weight directory environment. It returns results immediately, as well. The gross majority of malware requires administrative rights to install, even those that do not require user consent. By using a standard account on all endpoints, as an administrator, you greatly limit the attack surface that account would have otherwise provided running with administrative rights.

Account Auto-Lock Policy

It is pretty common, most users do not lock their workstation or laptop when they walk away. But, by having a policy of locking endpoints when they are not in use, you increase user authenticity and bolster physical security. In a Microsoft Windows environment or network, this policy can be easily enforced through Group Policies to all machines on a domain. In a Macintosh environment and network this can also be achieved with Profile Manager and a Macintosh Server. (Microsoft’s Systems Center Configuration Manager 2012 R2 can also manage Apple Macintosh systems, as well as Microsoft Windows systems.)

Operating System Updates

Operating system updates should be top priority in any environment. Almost every major operating system, as of this writing, has a method for automating updates for at least critical, important, and recommended updates (naming scheme is often platform dependent). These updates can also be automated with different centralized management platforms, paid and free. Usually, the easiest way to centrally manage updates across a network is to use the vendor’s configuration utility (mentioned under ‘Account Auto-Lock Policy’). A popular, free solution is Windows Server Update Services (WSUS) by Microsoft. Apple’s Mac OS X Server can also act as an update proxy server.

Third-Party Software Updates

Patching third-party software is usually a little harder to automate, but is just as important as operating system updates. Third-party patching can be harder to perform due to different patching schedules, multiple vendors, and support, or the lack thereof, in patching clients. One of the author’s favorites at the time of this writing is Ninite. Ninite Pro can even be implemented across multiple domain-joined machines in an Active Directory environment. But, there are many other options like Shavlik and GFI’s LanGuard.

Host-Based Anti-Malware

Anti-malware software has gotten a bad rap over the last few years, because most users consider it inadequate. Truthfully, it is by itself; that is why it is only 1/10th of all of the controls in this the recommendation list. Anti-malware software should be used on an endpoint as the first line of security, and considering it comes with most major operating systems, it should be enabled no questions asked. It should acts as the watchdog on the system and any alert that it finds should cause an escalation of the effected system for further analysis. The author recommends Cylance, at the time of this writing, for Windows environments.

Host-Based Firewall

Once again, at the time of this writing, almost every operating system comes with a built-in firewall, much like automatic updates and anti-malware software. It should just be enabled. Again, it can be centrally managed in most environments and third-party vendors have offerings that can be centrally managed, as well. Use it. It is better than nothing.

Install Secure Browser

This should be everyone’s favorite topic, because of all the great, free choices. Personally, the author recommends Google’s Chrome browser at the time of this writing. Google Chrome uses pinned certificates (to combat inauthentic certificates), each tab is a separate process, there is great extension support, and the built-in synchronization settings make everyday tasks almost operating system-agnostic. Mozilla’s Firefox is another great choice, but is relatively less secure by most counts. Internet Explorer honestly should not even be a choice in 2016. Microsoft’s Edge browser is still a little too new and has no extension support. Apple’s Safari is adequate, fairly secure, but lacks the speed and extension support of Chrome.

Full Hard Drive Encryption

Hard Drive encryption is available on most operating systems, if the correct edition is used. Microsoft offers BitLocker and Apple offers FileVault. A good third-party, open-source alternative with Trust-No-One (TNO) security is VeraCrypt. It is best used in situations where physical theft is a risk in the organization. It is highly recommended for portal computers such as tablets and laptops, but it can also prove useful for workstations. Encrypting external hard drives and thumb drives is also highly recommended.

Remote Logging

After any breach or security event, logs are always one of the first ways to track down exactly what happened. The only issue is, if logs are located on the same system that was compromised, the logs can no longer be trusted. The best option is to move the logs, or copy them, to a remote system. Usually, there will be a server (preferably two) that collects the logs from all of the other systems on the network and store them securely. Loggly has an open-source solution, for those looking to get started.

External Backups

Having a good backup should be an integral part of every network. All endpoint data should be located centrally and then protected by a standalone backup appliance. If endpoint user data must be decentralized, even a Windows Backup on an external drive is better than nothing. Getting those backups to an off-site location should also be a top priority. If endpoints are joined to a domain and important files are replicated to a file server, then Datto makes a good selection of standalone backup appliances that replicate data to highly-secure, off-site redundant bi-coastal datacenters.

As an administrator of any type, if you can implement half of these recommendations, you will be doing better than most. But, even if you implement all 10 steps, this is by no means a guarantee that nothing bad will happen. These are 10 strong recommendations to help mitigate risk. If you put these controls in place it will make your life much easier and your network much safer.

How to Stop ISPs From Selling Your Browsing Habits