A home network usually refers to one that is used to connect devices to the internet usually within someone’s residence, a home network is usually small and for the most part is made up of a Router, Wi-Fi, and in some cases a small switch. Many startup companies or small businesses also have what would be considered a home network architecture.
These networks are usually used to connect all sorts of devices, primarily media consumption and smart things that are designed to improve our quality of life. Unfortunately, this convenience comes at the cost of security.
This should not be the case, after all, we expect that the internet providers have our best interests in mind and will do what is necessary to protect us from harm. Well, that is wishful thinking, the reality is that in the same way that when you buy an appliance or computer from a store and need to replace it because it is faulty, and the store often points you to the manufacturer to deal with the return on your own; internet providers pretty can pretty much wash their hands if your home network fall victim to a network attack.
On top of this, many home users share two common misconceptions about the security of their networks:
- Their home network is too small to be noticed, and therefore and no great risk of a cyber attack.
- Their devices are already safe enough in their default configuration.
Both of these could not be further from the truth. Today more and more attackers are employing automation tools to scan the internet for vulnerable networks, and those tools do not discriminate based on network size, complexity, or noise. As for the devices, well most home routers are shipped with a default IP address that is something like 192.168.1.1 or similar and a combination of admin/password for the default credentials.
You do not think so? Do a Google search for the default username and password for Asus Router, or Netgear Router, or Linksys Router. Yup, not very secure. In addition to this, they come with easy Wi-Fi setup configurations that are pretty light on security to be easy to use for everyone. Think of it like rushing out of the shower in the morning, grabbing the keys, and running out the door. Oops, you forgot to put on clothes.
The fact of the matter is that the consumer is entirely responsible for the security of the network and all the data traveling through it. This brings up another point…
Let us say that you are a small business, that offers guest Wi-Fi to your customers. That is a nice gesture correct? Well, no good deed goes unpunished. What happens when someone is looking at child pornography using your guest Wi-Fi. Do you have sufficiently sophisticated networking equipment to be able to receive alerts or even prevent that from happening?
If not, then one day, out of the blue the FBI walks through the front looking for the perpetrator. Now you have to try to explain to them how that happened, in front of your customers.
If you are not concerned about the current state of your network at home, or in your business, you are wrong and the consequences will be bad. Sooner or later, the luck will run out. Network security is a lot like insurance, no one likes to hear or talk about it very much until they need it.
How can you improve the security of your network at home or in your small business?
Update your software. Most successful attacks are either the result of a user being duped into forfeiting legitimate credentials, or the result of a vulnerability that was not patched and got exploited. The vulnerability can be thought of as a proverbial backdoor, as a matter of fact, software backdoors which were very common at one point, and still used today by manufacturers of technology are right at the top of the list as far as exploitable vulnerabilities. Other vulnerabilities are the result of weak technology implementation, usually in software. The developers took shortcuts in the development of an app or service, which result in an attacker being able to bypass the security measures in place.
Have you ever seen the movie “Kingdom of Heaven”? Towards the end when the character played by Orlando Bloom is trying to save the people in the city of Jerusalem, his strategy includes a plan to make a last stand at a point in the fortress where he knows that the construction is weak and eventually will succumb to the bombardment from the attackers. This weakness in the fortress can be seen as a vulnerability. The story goes that, there used to be a door or gate there, but it was walled off after some time because it was not feasible to protect the city with too many entrances. The people in charge of building the wall over the entrance, however, cut some corners to finish quickly. The result was a section of the wall that was weaker than the rest. Sure enough, the attackers found it and knocked it down. Most devices nowadays will look for updates to their software, if prompted with the option to update the firmware, do not hesitate to do it.
Remove unnecessary or unused software from your devices. Aside from the obvious performance improvement to any system that comes from getting rid of things that are not being used, you are also reducing the attack surface by eliminating possible vulnerabilities in software that you are not even using. Get rid of whatever you do not use, you will not miss it.
Always revise default configurations on software and hardware. For example, many routers by default allow their internet-facing interfaces to be scannable. In order words, people looking for potential networks to attack will come across yours in the same way that someone walking down the street will come across a store with a well lit up sign out front. Most software being shipped is geared towards ease of use, they want you to be able to get up and running quickly so that you can consume the services you purchased. Thus in the default out-of-the-box configuration security is usually poor.
Use unique and strong passwords. As important as using strong passwords it is also to make them unique. One of the two things is just not enough anymore. If you have weak passwords, they can be easily deciphered. If you have one password that you use everywhere, it does not matter how strong it is when one of the cloud subscriptions you are consuming services from gets hacked and millions of username/password combinations are leaked to the internet. This presents another problem, something I like to call the password dilemma.
If you have too many passwords then you cannot remember them. Because you cannot remember them you start using a password manager, which stores your credential combinations in the cloud, so you can have easier access to them. Many of these services have also been the target of cybersecurity attacks. So now instead of one password of your floating around the internet, there are a bunch.
There is a solution, or rather a compromise that as a user you can live with and feel a true sense of security. As of today, multi-factor authentication still a very strong way to enhance the security of authentication, and more and more services are enabling the feature for their users. Some financial institutions are even making it mandatory. The ideal setup would be to use a strong password with multi-factor authentication for all the accounts that offer it. This password could be the same since you are using MFA as the final piece of the authentication. It is good practice to make this password strong and revisit it every so often. For the services or subscriptions that do not offer MFA, make sure you are using unique and strong passwords. If you have too many to remember, then use a password manager, try to find one that does not store your credentials in the cloud.
Use an antivirus with up-to-date definitions. If you are going to install antivirus on your machine, make sure that is using the latest definitions. Otherwise, there is no point in using it. Traditional antivirus software relies on signatures to check for potentially harmful software, if your definitions are not up to date, how is the antivirus going to learn about any new potentially harmful software.
Stay away from Norton, after Symantec’s acquisition by Broadcom they are going to be making a ton of changes internally. Best to stay away until that is fully settled.
Recommended AV software options:
Install a firewall, because not every device can have antivirus software. AV is a great solution to protect computers and most mobile devices, but what about smart devices where you do not have access to the operating system. You need to have some way to see what information is traveling around in your network. A firewall can block malicious traffic from entering your home network and alert you to potentially dangerous activity. When properly configured, it can also serve as a barrier for internal threats, preventing unwanted or malicious software from reaching out to the internet. Most wireless routers come with a configurable, built-in network firewall that includes additional features such as access controls, and web-filtering that you can tailor to fit your networking environment. Keep in mind that some firewall features, including the firewall itself, may be turned off by default. Ensuring that your firewall is on and all the settings are properly configured will strengthen the network security of your network. This is why you need to make sure you check the default configuration on your network devices, really important features might be turned off. Firewalls are not cheap, but they have come down in price quite a bit. Besides, if we can pay almost a thousand bucks for a phone, a decent firewall is a lot less.
Recommended options for home network firewalls:
- Ubiquiti Unifi Security Gateway (USG)
- FortiGate 30e
- ZyXELNext Generation VPN Firewall
Backup your data regularly. If you have a lot of important information, make sure that you are saving it somewhere other than your computer. You can either purchase an external hard drive, that you can connect directly to your computer or your home network. If you are choosing the network option, make sure that access to it is limited and that it is separate from any guest Wi-Fi networks or IoT networks. Those are areas of potential vulnerability, hence you want to make sure they cannot reach your data repository. Alternatively, you can use a cloud service like Google, or Microsoft.
When considering in-house backup options, whenever possible consider getting a backup solution with SSD drives. Aside from the obvious advantages in size and speed over HDD (SSD are smaller, basically you can carry a 1TB SSD in your pocket these days, they write and read data much faster than most traditional hard drives), Solid State Drives are more reliable because they have no moving parts, thus they are more likely to survive rough treatment.
Some affordable SSD options.
- Samsung. This one you can carry around with you everywhere and plug it in through USB
- If you would like to have a network-attached storage solution, then buy a diskless station, something like this, get a couple of internal SSD and stick them inside. This solution offers the best flexibility and the internal SSD are a little cheaper than the external ones.
Increase your wireless security. Most users are connected to the internet using Wi-Fi, this makes wireless networks a prime target for someone looking to steal data.
Here are some of the things you can do to harden your wireless networks and reduce the attack surface:
- Use strong encryption on your Wi-Fi, this means no WEP, at least WPA2 or higher.
- Change the routers admin credentials
- Change your SSID
- Disable WPS. WPS provides simplified mechanisms for a wireless device to join a Wi-Fi network without the need to enter the wireless network password. However, a design flaw in the WPS specification for PIN authentication significantly reduces the time required for a cyber attacker to break an entire PIN.
- Disable Universal Plug and Play (UPnP). This is yet another convenience feature commonly found in home network routers. It allows devices to discover and communicate with other devices in the network. The problem with this is that if a device gets infected, how hard would it be then for the infection to spread to other devices.
- Reduce wireless signal strength. Remember, the brighter the sign outside the store, the more passing customers it will attract. You want enough signal, that you can connect inside your home without issue, but there is no reason for your Wi-Fi network to be visible for the neighbor living 2 houses down.
- Turn the network off during long periods of absence. This might be difficult if you have a certain degree of home automation, and you like to be able to see what is going on while you are away. Some homeowners even have home security systems that rely on an internet connection. In such cases, turn off as much as possible.
- Update the firmware, old firmware is likely vulnerable.
- Disable remote management. Most routers offer the option to view and modify their settings over the internet. Turn this feature off to guard against unauthorized individuals accessing and changing your router’s configuration. Usually, for these features to work you have to open communications over the internet, from the router to wherever you are trying to manage it from.
- Monitor connections to your network. Most routers allow you to see a list of devices connected to your network, on some of the devices recommended above you can even tag devices with custom names. Check periodically for devices you do not recognize.
Mitigate Email Threats. Phishing emails continue to be one of the most common initial attack vectors employed for malware delivery and credential harvesting. When the network defenses are not able to be breached, attackers will try to exploit the human element. Unfortunately, because of the amount of exposure, most of us have with our social media presence, it has become increasingly easier to gather enough intel on a person to craft an email that seems legitimate.
Be very careful, for example, if you receive an email that seems to come from your financial institution, or your tv provider, do not click on it. Instead, go to their website and if there is something that needs your attention, it will likely be highlighted there. You can also call them.
Please resist the urge to click on the link with the kitties, or any other cute animals. Finally, all those emails with sweepstakes, giveaways, random unclaimed fortunes, random customer service requests, etc., are all fake.