The world of work has changed drastically since March 2020, with a significant number of knowledge workers now working from home instead of in the office, which reduces the levels of network security protecting your devices.
As the workforce transitions to the home instead of the office, cyber threat actors will seize the opportunity to take advantage of weak network security; having a decent security profile within your home network will help you to protect your employer, and your own devices, from being an easy target.
To help you take the right steps, I have put together my five-step guide to help secure your home network as much as possible against the most common forms of attack.
1. Make sure firmware is up to date
Depending on what hardware you are using, you may or may not be able to monitor and manage updates to the firmware of the device. Details of the firmware version may be listed in the general information on the router; any option to do a forced check and update will be in the device's advanced settings.
Internet Service Provider (ISP)-issued routers generally don’t have this option - they will often be running custom firmware which, unfortunately, won’t get as many updates and revisions as a generic router.
2. Review and remediate connected devices
Most broadband routers will let you view a list of all devices that are connected to your network. Some routers may also display devices that have connected to the network previously, but are currently offline. This is a great checklist to see what is connected, or can connect to, your WiFi network.
Review the list of connected devices and make sure you recognise all of them. If there are any that you don’t, use the option to block or forget them. If you accidentally block something you need, you can always unblock it later.
Unless you regularly do housekeeping on your router, or you have recently changed it, there are likely to be a lot of devices in the offline list; old phones and tablets that you might have replaced or perhaps friends’ devices that you have allowed to connect to the network before. Clear out anything that isn’t yours or a current device.
Important note: if you have a Guest Network on your router and you have any smart devices in your home, quickly read step five before going any further and block or delete your smart devices before going onto step three.
3. Change factory settings
There are a range of factory settings that you should change or optimise on your router, running in order of importance/priority. Everyone can do the first three steps:
Change the Admin Password – The admin password will provide access to your router settings and is the most important password on your network. Changing it from the factory default password has lots of benefits, but ultimately it will protect your security settings from anyone who may already have your password (it’s often listed on the router somewhere) and from your credentials being compromised if your provider has their database hacked.
All of your router security details from the factory are listed in at least two external places: at the manufacturer of the hardware and with your ISP. If they are breached in any way, so is your router.
Change the WiFi password – For the same reasons as above, your WiFi password isn't actually that secure - and it’s the gateway to anyone gaining access to your network. Once someone is connected to the WiFi, they are inside your network and have cleared the main security barrier - so we want to protect access to your network. Change the password and make it as complex as you can but make sure you can remember it. You may need to update all your devices with the new password, but it will ensure that you have control over who can access your network.
There are some great random password generators on the web that will create a unique, highly-complex alphanumeric password for you that will be extremely difficult to brute force. Just make sure you keep a note of it somewhere safe.
Change the SSID of your WiFi network – This one is not as critical as the above steps but also highly recommended for two reasons. Firstly, some WiFi networks will push out your changed password to connected devices, which is really useful for the devices you want to keep but not so great for devices that you don’t want to have access moving forward. With a new SSID, devices that previously had access to your network shouldn’t be able to initiate any reconnection that would allow this.
The second reason goes back to the above points; your factory SSID will be available in at least two databases and allows anyone in range of your WiFi to assess what router you have installed, which may allow them to search for known exploits on that model and formulate an attack. A new generic SSID helps guard against this, to a point.
It’s also a great opportunity to have some fun with the neighbours or your guests…
Where the option exists, you may choose to hide/not broadcast the SSID of your private WiFi network. This has the added advantage of ensuring that anyone who is not currently authorised to join your network won't be able to see that it is available.The disadvantage of this, is that you will have to manually enter the SSID name every time you want to join a new device to your network.
Extra credit actions - the availability of the following items will depend on the make and model of your router. Most of the features here will be under a tab called “Advanced Settings”.
Enable enhanced security features – if your router has options such as Malicious Content Filter, Intrusion Prevention System or Infected Device Quarantine, switch them on. This is unlikely to be an option with most ISP provided routers, but if you are using a router you have bought separately it may be a feature. If you get reporting from this, you will be amazed at the number of dubious processes these stop on an hourly basis.
Upgrade your WiFi network encryption – most routers including the ISP provide this option, but not all. If you have options to change the WiFi encryption, select WPA2 or WPA2-PSK, (WiFi Protected Access v2). This is the best generally available WiFi encryption standard and should work with all of your devices. If you don’t have WPA2 available, WPA is next best. WEP (Wired Equivalency Protocol) is better than nothing, but is the last resort.
Enable the router’s Firewall – this is a grey area; most routers have some form of software-based Firewall that is on by default, so you can’t see it or affect it. Some higher-end routers have the ability to switch the Firewall on and off and complete some more advanced configuration. Depending on what you bought and when, it may be on or off as default. Check it, and if it is not already on, enable it.
Disable Remote Administration - if Remote Administration is available as an option, check to see if it is enabled by default and make sure it is switched off. Your ISP provided router is likely to have this as a default option that you cannot disable.
4. Enable guest network if you have it
Step three recommended culling devices you don’t want connected to your trusted home network, which includes clearing out friends and relatives, or more often in my house, friends of my children!
We have no idea about the hygiene status of other people’s devices; are they secure, have they jail-broken devices that might now be running some form of malware, or cause us a security or performance issue?
A guest network allows us to do at home what your enterprise should do on its core network: working on a basis of zero trust for any devices or users we don’t know. Most modern routers have a guest network capability which will provide guest users with access to your internet, but wall them off from the devices on your main network. Enable this and make sure family members don’t give out the new details to your private network.
5. Isolate Internet of Things (IoT) Devices
Most households have at least one IoT device. It might be an Amazon Alexa or similar digital assistant, smart TV, media sticks like Fire TV or Roku, games consoles, video doorbell, refrigerator or coffee maker. The security built into these devices is pretty poor, and they represent a gateway into your private home network that is a potential security risk. If you have a guest network, my recommendation is to cull all of these devices from your secure network and reconnect them to your guest network. Most will still function exactly as they did before.
The exception to this may be smart TVs and media boxes or sticks if you have set them up for some form of DLNA streaming from digital media stored in Network Attached Storage at home, or if you regularly “cast” content from phones and tablets to your TV screen. Breaking these devices out of your main network will cause this to stop functioning, in which case you need to make a decision about whether to also move that to the guest network, or whether to accept the risk of the Smart TV/ Media device in the trusted network. Taking any of these steps in isolation will help to improve the overall security of your home network, but they work best when performed in the order listed above. Following these steps will help make sure that you protect all of your devices, corporate and personal, from the switch in focus of cyber criminals to unprotected home networks.
For organisations that are concerned about IT security as their staff work from home, Core has a range of security solutions that can help, from discovery sessions of your current security landscape to full security workshops. See our security solutions here or contact us to talk about how we can help you stay secure during the time of remote working.