Personal Computing Device Recommendations

Personal computing devices include desktop computers, laptops, smartphones, and tablets. Because the bulk of your information is stored and accessed via these devices, you need to take special care in securing them.

  1. Migrate to a Modern Operating System and Hardware Platform
    The latest version of any operating system (OS) inevitably contains security features not found in previous versions. Many of these security features are enabled by default and help prevent common attack vectors. In addition, using a 64-bit OS on a 64-bit hardware platform substantially increases the effort for an adversary to obtain privileged access on your computer.
  2. Install A Comprehensive Security Suite
    Install a comprehensive security suite that provides layered defense via anti-virus, anti-phishing, safe browsing, host-based intrusion prevention, and firewall capabilities. In addition, several security suites, such as those from McAfee®[1], Norton®[2], and Symantec®[3], provide access to a cloud-based reputation service for leveraging corporate malware knowledge and history. Be sure to enable the suite's automatic update service to keep signatures up to date.
  3. Limit Use of the Administrator Account
    In your operating system, the highly-privileged administrator (or root) account has the ability to access any information and change any configuration on your system. Therefore, web or email delivered malware can more effectively compromise your system if executed while you are logged on as an administrator. Create a nonprivileged "user" account for the bulk of your activities including web browsing, email access, and document creation/editing. Only use the privileged administrator account for system reconfigurations and software installations/updates.
  4. Use a Web Browser with Sandboxing Capabilities
    Visiting compromised or malicious web servers is a common attack vector. Consider using one of several currently available web browsers (e.g. ChromeTM[4], Safari®[5]) that provide a sandboxing capability. Sandboxing contains malware during execution, thereby insulating the underlying operating system from exploitation.
  5. Use a PDF Reader with Sandboxing Capabilities
    PDF documents are a popular mechanism for delivering malware. Use one of several commercial or open-source PDF readers (e.g. Adobe®[6], Foxit®[7]) that provide sandboxing capabilities and block execution of malicious embedded URLs (website links) within documents.
  6. Update Application Software
    Attackers often exploit vulnerabilities in unpatched, outdated software applications running on your computing device. Enable the auto-update feature for applications that offer this option, and promptly install patches or a new version when pop-up notifications indicate an update is available. Since many applications do not have an automated update feature, use one of several third-party products, such as those from Secunia and eEye Digital Security®[8], which can quickly survey installed software and report which applications are end-of-life or need patches or updates.
  7. Implement Full Disk Encryption (FDE) on Laptops
    To prevent data disclosure in the event that a laptop is lost or stolen, implement FDE. Most modern operating systems offer a built-in FDE capability, for example, Microsoft's BitLocker®[9], Apple's Filevault®[10], or LUKS for Linux. If your OS does not offer FDE, use a third party product.
  8. Download Software Only from Trusted Sources
    To minimize the risk of inadvertently downloading malware, only download software and mobile device apps from reputable sources. On mobile devices, grant apps only those permissions necessary to function, and disable location services when not needed.
  9. Secure Mobile Devices
    Mobile devices such as laptops, smartphones, and tablets pose additional concerns due to their ease of use and portability. To protect against theft of the device and the information on the device, maintain physical control when possible, enable automatic screen locking after a period of inactivity, and use a hard-to-guess password or PIN. If a laptop must be left behind in a hotel room while traveling, power it down and use FDE as discussed above.