US Based NIST DRAFT guidance today on how to secure your Windows XP Home computer. The goal, it seems, is to provide information to properly protect ourselves at home (and it specifically cites protecting federal employees). Iâ€™m excited to see guidance aimed at home users being released. You can review and download a copy of Special Publication (DRAFT) 800 – 69 here: http://csrc.nist.gov/itsec/guidance_WinXP_Home.html
The first thing I noticed when I opened this guide is that it is a short 169 pages. Iâ€™m not sure about you, but I donâ€™t know too many security professionals, let alone home users, that will take the time to read and digest that volume of detail.
But I donâ€™t consider that to be bad news!!! This means there is an opportunity for us to think and act differently!! This gives us a great opportunity to provide a service and value to our colleagues — we can extract key details and teach them the basics of how to protect themselves at home!
If you have experience working with configuration/hardening guidance, then you already realize that you cannot simply read this guide verbatim and blindly make changes. Configuration guidance requires basic knowledge and thought to apply. Those same rules apply here – but we *can* shorten the cycle and help step our colleagues through this more easily.
And when you become their trusted guide for how to protect themselves at home, youâ€™ll find that protecting the information at work gets easier.
Here is how I will/would leverage this guidance:
1 – Download and review the guidance to see the general approach and determine how I would apply this to my systems (if I used XP Home – I use XP Pro); get familiar with the document to see what itâ€™s recommending and try to understand â€œwhyâ€
2 – Consider the areas that are a bit tricky or require some additional insights and explanations – and then find the additional guidance, or make sure you can explain the concepts in a way that makes sense
3 – Once I had the highlights understood and some basic information, I would invite my colleagues to a â€œbrown bagâ€ or even catered lunch and provide copies of the guidance and then explain the key concepts
4 – I would hand everyone a sheet outlining the 5 key actions they need to take, and then spend some time explaining them. Actually, there is a good chance I would only hand out the key guidance and not include the rest…
5 – Ask for questions and offer to provide some support
Looking for a place to start? I think this is a perfect introduction and a fine lunch discussion.
Right in the introduction is the following passage:
The five most important protections that should be used for all Windows XP Home Edition computers connecting to the Internet are as follows:
- Applying updates to the operating system and major applications (e.g., e-mail clients, Web browsers) regularly, preferably through automated means that check for updates frequently
- Using a limited user account for typical daily use of the computer
- Running up-to-date antivirus software and antispyware software that is configured to monitor the computer and applications often used to spread malware (e.g., e-mail, Web) and to quarantine or delete any identified malware
- Using a personal firewall that is configured to restrict incoming network communications to only that which is required
- Performing regular backups so that data can be restored in case an adverse event occurs.
Iâ€™m in Phoenix this week (with a podcast almost ready to go), delivering a customized version of our newly launched Effective Assurance in IT Operations workshop/training course. I’m exited about this effort, since we’re taking a completely new approach to thinking about security and assurance – designed to have a lasting impact. And in this course, we take the time to discuss issues like the ones in this post. In fact, we spent time this week discussing the strategies for how we protect ourselves at home, and then how we can help our colleagues do the same!
Would it be valuable for your efforts if I used the Windows XP Guidance (and the 5 recommended actions) to develop a podcast that could either guide your efforts (or even be what you use during the lunch) ? If so, when I get back to the “studio” I’ll start working out the details and get something prepared to help you make a difference.
If youâ€™d like me to take the time to podcast on this or have some ideas on how I can make this more effective to support your efforts, send me an email: email@example.com and let me know. And if youâ€™d like to learn more about the success of â€œEffective Assuranceâ€ – drop me a line and we can talk.