A home network usually refers to one
that is used to connect devices to the internet usually within someone’s
residence, a home network is usually small and for the most part is made up of
a Router, Wi-Fi, and in some cases a small switch. Many startup companies or
small businesses also have what would be considered a home network
architecture.
These networks are usually used to
connect all sorts of devices, primarily media consumption and smart things that
are designed to improve our quality of life. Unfortunately, this convenience
comes at the cost of security.
This should not be the case, after
all, we expect that the internet providers have our best interests in mind and
will do what is necessary to protect us from harm. Well, that is wishful
thinking, the reality is that in the same way that when you buy an appliance or
computer from a store and need to replace it because it is faulty, and the
store often points you to the manufacturer to deal with the return on your own;
internet providers pretty can pretty much wash their hands if your home network
fall victim to a network attack.
On top of this, many home users
share two common misconceptions about the security of their networks:
- Their home network is too small to be noticed, and therefore and no great risk of a cyber attack.
- Their devices are already safe enough in their default configuration.
Both of these could not be further
from the truth. Today more and more attackers are employing automation tools to
scan the internet for vulnerable networks, and those tools do not discriminate
based on network size, complexity, or noise. As for the devices, well most home
routers are shipped with a default IP address that is something like
192.168.1.1 or similar and a combination of admin/password for the default
credentials.
You do not think so? Do a Google
search for the default username and password for Asus Router, or Netgear
Router, or Linksys Router. Yup, not very secure. In addition to this, they come
with easy Wi-Fi setup configurations that are pretty light on security to be
easy to use for everyone. Think of it like rushing out of the shower in the
morning, grabbing the keys, and running out the door. Oops, you forgot to put
on clothes.
The fact of the matter is that the
consumer is entirely responsible for the security of the network and all the
data traveling through it. This brings up another point…
Let us say that you are a small
business, that offers guest Wi-Fi to your customers. That is a nice gesture
correct? Well, no good deed goes unpunished. What happens when someone is
looking at child pornography using your guest Wi-Fi. Do you have sufficiently
sophisticated networking equipment to be able to receive alerts or even prevent
that from happening?
If not, then one day, out of the
blue the FBI walks through the front looking for the perpetrator. Now you have
to try to explain to them how that happened, in front of your customers.
If you are not concerned about the
current state of your network at home, or in your business, you are wrong and
the consequences will be bad. Sooner or later, the luck will run out. Network
security is a lot like insurance, no one likes to hear or talk about it very
much until they need it.
How can you improve the security of
your network at home or in your small business?
Update your software. Most successful attacks are either the result of a user
being duped into forfeiting legitimate credentials, or the result of a
vulnerability that was not patched and got exploited. The vulnerability can be
thought of as a proverbial backdoor, as a matter of fact, software backdoors
which were very common at one point, and still used today by manufacturers of
technology are right at the top of the list as far as exploitable vulnerabilities.
Other vulnerabilities are the result of weak technology implementation, usually
in software. The developers took shortcuts in the development of an app or
service, which result in an attacker being able to bypass the security measures
in place.
Have you ever seen the movie
“Kingdom of Heaven”? Towards the end when the character played by Orlando Bloom
is trying to save the people in the city of Jerusalem, his strategy includes a
plan to make a last stand at a point in the fortress where he knows that the
construction is weak and eventually will succumb to the bombardment from the
attackers. This weakness in the fortress can be seen as a vulnerability. The
story goes that, there used to be a door or gate there, but it was walled off
after some time because it was not feasible to protect the city with too many
entrances. The people in charge of building the wall over the entrance,
however, cut some corners to finish quickly. The result was a section of the
wall that was weaker than the rest. Sure enough, the attackers found it and
knocked it down. Most devices nowadays will look for updates to their software,
if prompted with the option to update the firmware, do not hesitate to do it.
Remove unnecessary or unused
software from your devices. Aside from
the obvious performance improvement to any system that comes from getting rid
of things that are not being used, you are also reducing the attack surface by
eliminating possible vulnerabilities in software that you are not even using.
Get rid of whatever you do not use, you will not miss it.
Always revise default configurations
on software and hardware. For
example, many routers by default allow their internet-facing interfaces to be
scannable. In order words, people looking for potential networks to attack will
come across yours in the same way that someone walking down the street will
come across a store with a well lit up sign out front. Most software being
shipped is geared towards ease of use, they want you to be able to get up and
running quickly so that you can consume the services you purchased. Thus in the
default out-of-the-box configuration security is usually poor.
Use unique and strong passwords. As important as using strong passwords it is also to make
them unique. One of the two things is just not enough anymore. If you have weak
passwords, they can be easily deciphered. If you have one password that you use
everywhere, it does not matter how strong it is when one of the cloud
subscriptions you are consuming services from gets hacked and millions of
username/password combinations are leaked to the internet. This presents
another problem, something I like to call the password dilemma.
If you have too many passwords then
you cannot remember them. Because you cannot remember them you start using a
password manager, which stores your credential combinations in the cloud, so
you can have easier access to them. Many of these services have also been the
target of cybersecurity attacks. So now instead of one password of your
floating around the internet, there are a bunch.
There is a solution, or rather a
compromise that as a user you can live with and feel a true sense of security.
As of today, multi-factor authentication still a very strong way to
enhance the security of authentication, and more and more services are enabling
the feature for their users. Some financial institutions are even making it
mandatory. The ideal setup would be to use a strong password with multi-factor
authentication for all the accounts that offer it. This password could be the
same since you are using MFA as the final piece of the authentication. It is
good practice to make this password strong and revisit it every so often. For
the services or subscriptions that do not offer MFA, make sure you are using
unique and strong passwords. If you have too many to remember, then use a
password manager, try to find one that does not store your credentials in the
cloud.
Use an antivirus with up-to-date
definitions. If you are going to install
antivirus on your machine, make sure that is using the latest definitions.
Otherwise, there is no point in using it. Traditional antivirus software relies
on signatures to check for potentially harmful software, if your definitions
are not up to date, how is the antivirus going to learn about any new
potentially harmful software.
Stay away from Norton, after
Symantec’s acquisition by Broadcom they are going to be making a ton of changes
internally. Best to stay away until that is fully settled.
Install a firewall, because not every device can have antivirus software. AV is a great solution to protect computers and most mobile devices, but what about smart devices where you do not have access to the operating system. You need to have some way to see what information is traveling around in your network. A firewall can block malicious traffic from entering your home network and alert you to potentially dangerous activity. When properly configured, it can also serve as a barrier for internal threats, preventing unwanted or malicious software from reaching out to the internet. Most wireless routers come with a configurable, built-in network firewall that includes additional features such as access controls, and web-filtering that you can tailor to fit your networking environment. Keep in mind that some firewall features, including the firewall itself, may be turned off by default. Ensuring that your firewall is on and all the settings are properly configured will strengthen the network security of your network. This is why you need to make sure you check the default configuration on your network devices, really important features might be turned off. Firewalls are not cheap, but they have come down in price quite a bit. Besides, if we can pay almost a thousand bucks for a phone, a decent firewall is a lot less.
Backup your data regularly. If you have a lot of important information, make sure that
you are saving it somewhere other than your computer. You can either purchase
an external hard drive, that you can connect directly to your computer or your
home network. If you are choosing the network option, make sure that access to
it is limited and that it is separate from any guest Wi-Fi networks or IoT
networks. Those are areas of potential vulnerability, hence you want to make
sure they cannot reach your data repository. Alternatively, you can use a cloud
service like Google, or Microsoft.
When considering in-house backup
options, whenever possible consider getting a backup solution with SSD drives.
Aside from the obvious advantages in size and speed over HDD (SSD are smaller,
basically you can carry a 1TB SSD in your pocket these days, they write and
read data much faster than most traditional hard drives), Solid State Drives
are more reliable because they have no moving parts, thus they are more likely
to survive rough treatment.
Some affordable SSD options.
- Samsung. This
one you can carry around with you everywhere and plug it in through USB
- If you would like to have network-attached storage,
then buy a diskless station, something like this, get a couple of internal SSD and stick them inside.
This solution offers the best flexibility and the internal SSD are a little cheaper than the external ones.
Increase your wireless security. Most users are connected to the internet using Wi-Fi, this
makes wireless networks a prime target for someone looking to steal data.
Here are some of the things you can
do to harden your wireless networks and reduce the attack surface:
- Use strong encryption on your Wi-Fi, this means no WEP, at least WPA2 or higher.
- Change the routers admin credentials
- Change your SSID
- Disable WPS. WPS provides simplified mechanisms for a wireless device to join a Wi-Fi network without the need to enter the wireless network password. However, a design flaw in the WPS specification for PIN authentication significantly reduces the time required for a cyber attacker to break an entire PIN.
- Disable Universal Plug and Play (UPnP). This is yet another convenience feature commonly found in home network routers. It allows devices to discover and communicate with other devices in the network. The problem with this is that if a device gets infected, how hard would it be then for the infection to spread to other devices.
- Reduce wireless signal strength. Remember, the brighter the sign outside the store, the more passing customers it will attract. You want enough signal, that you can connect inside your home without issue, but there is no reason for your Wi-Fi network to be visible for the neighbor living 2 houses down.
- Turn the network off during long periods of absence. This might be difficult if you have a certain degree of home automation, and you like to be able to see what is going on while you are away. Some homeowners even have home security systems that rely on an internet connection. In such cases, turn off as much as possible.
- Update the firmware, old firmware is likely vulnerable.
- Disable remote management. Most routers offer the option to view and modify their settings over the internet. Turn this feature off to guard against unauthorized individuals accessing and changing your router’s configuration. Usually, for these features to work you have to open communications over the internet, from the router to wherever you are trying to manage it from.
- Monitor connections to your network. Most routers allow you to see a list of devices connected to your network, on some of the devices recommended above you can even tag devices with custom names. Check periodically for devices you do not recognize.
Mitigate Email Threats. Phishing emails continue to be one of the most common
initial attack vectors employed for malware delivery and credential harvesting.
When the network defenses are not able to be breached, attackers will try to
exploit the human element. Unfortunately, because of the amount of exposure,
most of us have with our social media presence, it has become increasingly
easier to gather enough intel on a person to craft an email that seems
legitimate.
Be very careful, for example, if you
receive an email that seems to come from your financial institution, or your tv
provider, do not click on it. Instead, go to their website and if there is
something that needs your attention, it will likely be highlighted there. You
can also call them.
Please resist the urge to click on
the link with the kitties, or any other cute animals. Finally, all those emails
with sweepstakes, giveaways, random unclaimed fortunes, random customer service
requests, etc., are all fake.
J.
Comments
Post a Comment