Ron Temske, Vice President, Security Solutions, Logicalis US
It’s the holiday season when many people have been online shopping and sharing pictures, eCards and correspondence from home (and office). Maybe you’ve just received or given new mobile or wired devices that will connect with your home or small office network. In that case, you may be considering security – perhaps advanced security, given recent news of breaches, hacks and Internet of Things (IoT) malware.
Whether you just want to make your existing environment more secure, you’ve picked up a network accessible thermostat or home automation system, or you are connecting new mobile devices to your office network, here are some simple steps you can take to improve your security.
For your home office or small office network, let’s start with your router because it’s a point of entry into your entire network. I’ll include tips on your wireless network as well since most routers integrate both functions in the same device.
- Change the default passwords. Kind of obvious, yet still frequently overlooked. Make this the first thing you do when setting up a home or office router/access point.
- Disable console access from the Internet. Do you really need to make changes to your home network while on the road? (Probably not). Leaving the console accessible from the Internet is just asking someone to break in.
- Don’t use descriptive SSID names. For example, Ron’s Home Network would be a poor choice for a Service Set Identifier (SSID) name.
- Encrypt your connection. If possible, use WPA2-PSK with AES for encryption (some older devices won’t support this). Next choice would be WPA, but WEP should be avoided at all costs.
- Try the free service offered by OpenDNS for your personal DNS services. For personal use, Cisco Umbrella (formerly OpenDNS) offer a free secure DNS solution. Almost all routers will allow you to hard-code a DNS server (rather than using the one provided by your ISP). Configure your primary DNS to 220.127.116.11 and your secondary DNS to 18.104.22.168 to enjoy secure Internet access.
- Ensure you’re running the latest firmware. Many security holes are patched via firmware updates.
- Disable WPS (WiFi Protected Setup). I know this makes it easier to add new devices, but bugs in the protocol make it very susceptible to brute force attacks. The same goes for UPnP.
- Occasionally look at the devices accessing your network. Do you recognize all of them? It’s worth doing a little investigating if there are devices on there that aren’t your own (or that you’re not sure are your own). You should look at logs too – not just devices actively signed on at the time.
- Create a separate guest network. Most newer routers provide the functionality to create a separate guest network. There’s no reason to put your friends or office visitors onto your own network when all they need is Internet access. A guest network prohibits them from leaving with the credentials for your home or office network stored on their devices.
- Create a third network for your IoT devices. Far too many IoT devices (e.g. cameras, thermostats, etc.) are insecure. While you can’t make those devices inherently secure, you can at least segment or separate them from the rest of your network to restrict their access. If your router only supports two networks, set up your IoT devices on the guest network (see my last note).
- As with the routers, change the default passwords in your IoT devices.
- Turn off any unnecessary services. The security cameras used in the recent DDOS attack had telnet services enabled. Why? Turn off those services that are not needed for your devices to function properly.
- Use the most up-to-date WiFi frequency. Assuming you aren’t supporting any ancient wireless devices, disable 802.11b and if you’ve made the move to 5GHz then disable 2.4GHz.
- Don’t use an account with administrative rights on your home system. Have a user account with minimal rights and escalate privilege when necessary. This is a little more work, but if your account is compromised it will minimize the damage that can be done.
- Ensure you are using up to date Antivirus/Antimalware on each device.
- Backup your data! If you should be hit with malware, your life will be a lot easier if all your data is securely stored elsewhere. You should test your restore capability as well – as the adage goes, backup is easy, it’s restore that’s difficult.
- Keep your applications, plugins and extensions up-to-date. In addition to keeping your operating system up to date, be mindful of your applications as well, especially browser plugins. Flexra offers a free tool for personal use called the Personal Software Inspector (http://www.flexerasoftware.com/enterprise/products/software-vulnerability-management/personal-software-inspector/) that is useful for identifying programs that are insecure and need updates.
Most importantly – think about all the ways you can compute more securely in the new year!