View
4
Download
0
Category
Preview:
Citation preview
Securing Home Networks
Inside this issue
Home Network - Routers ............ ...2-3
Warning - Webcams….....………...……..2
Unprotected Millennials………………….3
Home Network - WiFi….....................4
Large Home Wifi Options..............….4
Anti-Virus & Firewalls………....…..…….5
Network Segmentation.…..…............5
Online Behavior…………....………..…....6
Preparation & Backups….......…...…...6
Cloud Insecurity…………..…………….....7
Recommendations...……..…...…..…….7
Introduction More and more technology is entering our homes. A common problem that affects many peo-ple every year is an unprotected home network. In a world where the Internet of Things (IoT) is common place, it is easy to forget just how much cyber security you need in the house. Even if you do not have fancy talking refrigerators or smart window blinds, most homes will have some combination of desktop computers, tablets, smartphones, gaming systems, home theater/music systems, security systems (e.g., gates, alarms, motion sensors, lighting), and maybe an Amazon Echo or Google Home device. All of these systems and devices must be considered when securing your home.
Approximately 25 percent of wireless home networks are vulnerable to all kinds of attacks. However, many of these invasions happen to people who are not using the security features that are available on the device – or are using default settings on the device. As a result, every Internet-enabled device in your home could be targeted if someone nearby is capable of joining or cracking your network.
To better understand just how vulnerable your home network is, statistics show that hackers have a 75% success rate of getting into a device within a matter of minutes. Given more time, 15% of hackers are able to break into a home system in a couple of hours. Without increased attention to security of connected devices at home, burglars of the future will not creep through your windows or kick in doors. They will monitor your home network or security cameras to see when you are out of the house, disable any motion detectors and open the front door with a few lines of code. A study conducted by information technology engineers at Michigan University showed that IoT and the related smart home security systems are not completely secure. While it does take a knowledgeable hacker to bypass a smartly secured home, it is very doable. Smart apps and networks can be breached, allowing perpetrators to remotely exploit apps, bypass weak passwords, and false PIN codes. Unsecured wireless medical devices, mobile devices, and even cloud architecture all came under attack in 2016 and there are increasing instances of device compromises in 2017.
This report focuses on some of the most critical parts of your home network including securing your wifi and routers, installing/updating anti-virus software, preventing device compromises, attaining redundancy and/or back-ups, and managing your online profile.
Concierge Security Report August 2017
Volume 3, Issue 8
Warning! - Webcams
Hackers are targeting webcams by
using malware to covertly take
control over the devices. In some
instances, the hackers may hold
cameras hostage (much like
ransomware), behave like "peeping
Toms," and even commit
“sextortion” where the hackers
blackmail their victims with
compromising images.
In other cases, the hackers will
publicly display the camera feeds.
There are websites that publicly list
private security cameras that are
not properly protected. For
example, the website Insecam.org
had available for view numerous
live feeds of home security cameras
in Houston Texas during Hurricane
Harvey. However, these cameras
were visible before the hurricane
and may present an even greater
vulnerability after the initial crisis as
homes and retail establishments are
frequently looted post-storm. In
addition, Insecam.org exposed the
inside of hospitals, shopping malls,
and even daycare centers
throughout the U.S.
See Houston Cameras -
http://www.insecam.org/en/bycity/
Houston/
Anti-virus programs may not detect
a compromised camera. Check all
of the cameras on your laptops,
desktops/monitors, smartphones,
tablets, baby-monitors, smart TVs,
and home security systems. Change
any default passwords that these
devices came with - and if possible,
and if you are not using these
cameras, turn them off or use a
piece of electrical tape to cover the
lens.
Home Networks - Routers
2
According to Norton, 35% of people have at least one unprotected device, leaving themselves vulnerable to ransomware, malicious websites, zero day attacks and phishing attacks. Consumers are aware of the need to protect their personal information online, but they are not motivated to stay safe. In some cases the unprotected devices are lacking passwords or proper configuration, but sometimes the vulnerability stems from the network. Two of the first things you should consider when securing your home network include your WiFi connection(s) and your router(s). The following list of router and network tips have been taken from C/Net, past Mindstar Security assessments, and the FCC website. It is our hope that you will implement some of these tips in order to keep your home network safe.
Change the name of your home wireless network. One of the things you should do to is to change the name of your Wi-Fi network, also known as the SSID (Service Set Identifier). Changing your Wi-Fi’s name makes it harder for hackers to know what type of router you have. If a cybercriminal knows the manufacturer of your router, they will know what vulnerabilities that particular model has and then be in a better position to exploit them.
Avoid naming your home network something like “Bill’s Wi-Fi” or “Smith Family Wi-Fi”. You do not want people to know at first glance which wireless network is yours when there are 3-4 other neighboring Wi-Fi’s. The less potential hackers know the better.
Change your router’s default settings. Since your router’s default settings are set by the vendor,
they are public knowledge. While the default settings certainly make setting up your router much easier, they also make it far more susceptible to unauthorized access by hackers or anyone with even a rudimentary understanding of that router.
Your router is sometimes considered the first line of defense against hackers trying to access all the internet-connected devices in your home. All routers are slightly different, so check your router's doc-umentation for exact instructions. Making these changes are important and if you are unsure, seek assistance.
Unprotected Millennials
Millennials remain the most common
victims of cyber crime. According to a
recent research report conducted by
Norton, 40% percent said they had been
hacked or compromised in the past year.
Despite growing up with the Internet and
a multitude of devices, millennials exhibit
what the report calls “surprisingly slack”
online security habits. The CEO of Norton
commented that millennials are “on the
web more than other groups, so there’s
certainly more opportunity for them to
get in trouble, but then they’re not taking
basic steps to protect themselves.”
Millennials are twice as likely (35%) as
other age groups to share their
passwords with others — a practice that
clearly compromises security. Many
millennials do not even protect their
digital devices with passwords, or if they
do, they use weak passwords that are
easy to crack.
Mindstar has also seen a lack of security
discipline by millennials. Some of them
had commented that while they grew up
with a device in their hands, they were
only taught how to use it...not how to
protect it or that it even needed to be
protected.
Home Network - Routers, continued
WEP versus WPA
Many routers today will offer two or three different security schemes such as WEP, WPA, and WPA2. WPA (Wi-Fi Protected Access) and WPA2 (Wi-Fi Protected Access Version 2) are security protocols that use encryption for secure access and communication between connected Wi-Fi devices. WEP (Wireless Encryption Protocol) is the encryption scheme considered to be the initial standard for first generation wireless networking devices.
We recommend WPA or WPA2 security since it is more secure than WEP. However, for compatibility with some older devices, such as gaming consoles, TiVo, and other network devices, WEP may be the only security option possible to use. Using WEP is still better than no security at all.
Update your router’s firmware
Firmware updates from the manufacturer help improve the performance of the router, as well as address any new security vulnerabilities. Updating firmware can be as easy as a few clicks of the mouse or you may have to first download it and then install manually. Either way, it is not a difficult process and you should be able to do it in just a couple of minutes.
It is important to keep in mind that any updates you download can potentially reset your router’s settings to their factory default (depending on the type/brand of router). You may want to back up the router’s settings before updating the firmware or at least be prepared to make the changes outlined above again once you’ve done your update.
If you are not comfortable setting up or managing your router, do reach out to an IT security professional or trusted consultant for assistance. Setting up part of the “backbone” of your home network is extremely important.
Remote Administration
Many of today’s routers include a capability called remote administration or remote management. This means the router can be accessed by technical support personnel from outside your house. Mindstar Security typically recommends that this remote management capability be disabled in your router. But there may be cases where leaving remote management turned on is advantageous to your particular situation. If you must leave remote management turned on, you should change the “remote management port number” to something other than the commonly used number of 8080. Any number from 80 to 65534 can be used. And most importantly, if you chose to use remote management, you MUST change the router’s password to something other than the default password.
How to change the router’s default login password
Most routers have very similar menus and set-up tabs. No matter what brand of router you have, Go to the Tools or Administration part of the Web interface and make sure you create a password that is very difficult to guess, as well as different from the password you use for the Wi-Fi network.
3
Large Home WiFi Options
Have a larger home with Wi-Fi dead
zones? A multi-node system might be
a better solution than a traditional
wireless router. Larger homes and
dwellings with dense walls, multiple
floors, metal and concrete
substructures, and other structural
impediments may require additional
components to bring Wi-Fi to areas
that the router cannot reach.
1) One alternatives to increase
connectivity is to install range
extenders. They do a good job of filling
in dead zones, but typically provide
only half the bandwidth that you get
from your main router.
2) Another choice is to use Access
points - which is a networking
hardware device that allows a Wi-Fi
device to connect to a wired network.
Access points offer more bandwidth
than range extenders, but do require a
wired connection to the main router.
Both of these solutions may,
depending on the brand and
configuration, need the creation a new
network SSID that you have to log in
to as you move from one area of the
house to another.
3) A third option is to use a Wifi
System. Wi-Fi systems are made up of
several networking components.
There is typically a main router that
connects directly to your modem, and
a series of satellite nodes, that you
place throughout your house. They are
all part of a single wireless network,
and share the same SSID and
password.
Setting up and maintaining any type of
wireless home network can be
daunting, even if you are tech-savvy.
Once you are all set up, have a
professional review and test the
network to make sure nothing was
inadvertently overlooked.
Home Networks - WiFi One of the other important components of a secure home is your WiFi network. More than likely the majority of your home devices will be dependent on a solid, fast, and secure network. While the bandwidth and speed will mostly be dictated by your service provider, security is typically left in the hands of the user. Mindstar has provided some basic security considerations for your WiFi configuration.
Encrypt your Wi-Fi network. Change the password for your Wi-Fi network to something that only you and other network users know. Make sure the network is impossible to guess but easy enough to remember and type. You likely have passwords for many accounts that you access online, and remembering them all can be a pain. Web browsers and other programs may offer to remember passwords for you, which can be a significant timesaver. However, certain password shortcuts can leave you less secure. The following good habits provided by the FCC may help keep your personal information safer:
Don't use the same password for multiple accounts, especially for the most sensitive ones, such as bank accounts, credit cards, legal or tax records and files containing medical information. Otherwise, someone with access to one of your accounts may end up with access to many others.
Don't have your web browser remember passwords and input them for you, particularly for your most important financial, legal and medical accounts. If an unauthorized person gains access to your computer or smartphone, they could access any account that your browser automatically logs into.
Don't use passwords that can be easily guessed, such as common words and birthdays of family members. Instead, use a combination of letters, numbers and symbols. The longer and stronger the password, the safer your information.
NOTE: It is important to note that depending on what router you have, your Wi-Fi password may be referred to in the Web interface as either an “encryption key”, a “pass key”, the “pre-shared key”, or possibly even the “passphrase”. People without a strong technical background can sometimes be thrown by this. Just remember that all of those phrases mean the same thing: password.
4
Create a guest network with different password. If you tend to have a lot of visitors to your home, it is a good idea to set up a guest network. With a home guest network you can give friends access to your Internet connection without sharing your Wi-Fi password and also limit the amount of information in your home network they can see. Guest networks also keep the primary network protected from network worms that could otherwise be spread to other computers if a visitor plugs in an infected device.
Consider using the MAC address filter in your wireless router. Every device that can connect to a Wi-Fi
network has a unique ID called the "physical address" or "MAC" (Media Access Control) address. Wireless routers can screen the MAC addresses of all devices that connect to them, and users can set their wireless network to accept connections only from devices with MAC addresses that the router will recognize. To create another obstacle to unauthorized access, consider activating your wireless router's MAC address filter to include your devices only.
Disable your wireless network when you are not home. We recommend you do this in case of a prolonged absence, such as vacations. It closes any windows of opportunity hackers might have while you are away and unable to notice any network disturbances.
Firewalls and antivirus software are two fundamentally different and complementary kinds of security applications that can help protect your home network and the devices connected to it. Since not all of Mindstar’s clients are tech-savvy, we will provide a very general definition of each.
Firewall: A firewall is also known as a “packet filter”. The firewall is software or hardware that monitors network traffic and connection attempts into and out of a network or computer and determines whether or not to allow the traffic to pass through. A firewall can be thought of as a screen that categorically strains out potentially harmful data.
Antivirus: Software that searches for and finds programs/files/etc. that can potentially compromise your computer, either by being executable or by exploiting a vulnerability in the program normally supposed to process them –rootkits, Trojans, or other types of malware. Antivirus software can detect threats before they are installed on your computer or after they have already made their way there. It can perform various protective measures once the threat has been detected, including quarantine, removal, fix, or other options. Mindstar highly recommends Malwarebytes for antivirus/anti-malware home use. Other antivirus products can be reviewed at:
https://www.pcmag.com/article2/0,2817,2372364,00.asp
Firewalls are not just software programs used on your PC. They also come in the hardware variety. A hardware firewall does pretty much the same thing as a software one, but its biggest advantage is the addition of one extra layer of security. One good thing about hardware firewalls is that most of the best wireless routers come preinstalled with one. Even if your router does not have one, you can always install a good firewall device to your router in order to protect your system from malicious hacking attempts against your wireless network.
These days, most people use the firewall solution provided by their operating systems. In case you are using dedicated security software that contains a firewall, we recommend you turn it on. While having one of these protections is certainly better than not having either of them, we recommend implementing both. Good firewall and antivirus software is both affordable (sometimes they can be found for free) and easy to install.
It is important to understand that simply installing these protections is not enough. You should check both the firewall and your antivirus software regularly for any updates they may need. Any antivirus software, irrespective of if you have purchased it or downloaded a free version over the Internet; continuously releases updates. Simply put, if you do not make sure your antivirus is updated, you may not be protected from the most recently released threats. A recent CNN Technology article suggests that there are nearly 1 million new malware threats released every day, so having updated software is absolutely imperative.
5
Anti-Virus Programs and Firewalls
Network Segmentation can be used to isolate risky devices, including most internet-of-things (IoT) products like smart refrigerators, thermostats, baby monitors, security systems, and several different entertainment devices like Amazon Echo, Apple’s soon to be released HomePod, and Google Home. Some routers, depending on their sophistication, offer the option to create VLANs (virtual local area networks) inside a larger private network. These virtual networks can be used to isolate/quarantine IoT devices, which are typically full of vulnerabilities because compa-nies value speed to market above the security of their products. According to pcworld.com, many IoT devices can be controlled through smartphone apps via external cloud services, so as long as they have Internet access, these devices don't need to be able to communicate with smartphones directly over the local network after the initial set-up. IoT devices often expose unprotected administrative protocols to the local network so an attacker could easily break into such a device from a malware-infected computer, if both are on the same network. It is certainly a good idea to find a router that allows network segmentation and to isolate your risky IoT devices, or any devices you believe to be particularly vulnerable to hacking. Doing so will allow you to better protect your home network. According to InterTrust.com:
Mobile app hacks and breaches will reach a cost of $1.5 billion by 2021.
Mobile phone sales will reach 2.1 billion units by 2019 and that is a lot of phone apps that can be hacked.
$34 million is spent annually on mobile app development; only $2 million is spent on security.
Electronic locks, thermostats, ovens, sprinklers and motion sensors by remote control has created new vulnerabilities in IoT.
Network Segmentation
“There are more mobile Internet users than desktop Internet users. There are 3.5 billion global mobile Internet users as at August 2017.” - HostingFacts.com
All the technological safeguards in the world will not be enough to protect you if your online habits are overly risky. While it is difficult to completely eliminate all online threats, simply modifying your (and your family’s) online behavior can better assure that sensitive personal information doesn’t fall into the wrong hands. The following tips are examples of a few things you can do to assure your safety while online:
Avoid risky websites. Even if you think your antivirus is up to snuff, it is simply not worth the risk. Most people believe the biggest purveyors of malware online are pornography sites. This is not even close to the truth. The types of websites you are most likely to acquire malware from are pharmaceutical marketplaces, illegal marketplaces on the Dark Web, questionable movie/TV streaming sites, travel/aviation sites, and torrent sites. Do note that some legitimate sites may contain infected pop-up ads that can contain dangerous payloads.
Understand and be able to identify phishing attacks. Educate yourself on what phishing is and what phishing attacks look like. Avoid opening any attachments or clicking on any links that are included via an email or private message on social media coming from someone you do not know. By opening an attachment that includes a nasty malware you may be compromising your entire home network and all of the devices connected to it.
Watch what you say on social media. Privatize all of your social media accounts and do not accept “friend requests” from people you do not know or trust. Oversharing on social media is one of the main ways hackers and other threat actors gather information used to either create phishing attacks or otherwise attempt to breach your accounts/networks. There is no reason to provide Facebook with your real birthdate or the city you live in. The less information you disclose online the less vulnerable you are.
Online Behavior
6
Because there is no way to absolutely guarantee that your security measures won’t be breached, you need to be prepared for that possibility. Limit what personal information is stored on or accessible from your IoT devices. Make sure all transfers of data are encrypted, and don’t store transaction records on a device or network. Do make sure you have redundancy and a way to back-up your data.
Even if you take every reasonable precaution available to secure your home network, things still happen and it is vitally important to back up your data. The three major ways most people do this is by using an external hard drive, a thumb (flash) drive, or the cloud. We recommend you use either an external hard drive or a thumb drive. We like the control of data storage to be in your hands and not depended on a third party, especially considering that storage companies can also be hacked or otherwise infiltrated. Mindstar recommends using both external hard drives and flash drives in order to assure that you are always covered, even if one of them fails.
If you do experience a breach, make sure you have a plan. You can minimize the damage by limiting the data available and making data that was compromised useless. Immediately change all passwords; contact credit bureaus, banks, and credit card companies; and document everything you do. Once you know the extent of the breach, you should also file a police report to have an official record that will assist with fighting identity theft.
Lost or stolen Wi-Fi devices can be security threats. While you can lock down your Wi-Fi with the most stringent security, if you lose your smartphone, tablet, laptop, or any other device that you have connected to your Wi-Fi network, whoever recovers it may be in a position to access to every network you have connected to in the past, since those passwords may have been saved to that device by default. Depending on who recovers the device, where they found it, and how much info they can glean from it, they might even be able to figure out where those networks are physically located.
If you lose a mobile device, see if you can remotely lock or even wipe it (you do back it up on a regular basis, right?) to prevent any unauthorized person from gaining access to the Wi-Fi passwords and any other data you have on it. Secondly, it’s a good idea to change the Wi-Fi password of all the networks you connected it to in the past. Some private networks might not be in your control, so you should notify the parties who are responsible for them—especially your employer.
Preparation and Back-ups
“If you wouldn’t put your personal
messages and pictures on a highway
billboard sign for millions of strangers
to see while driving by, then do not
post it on social media.”
There may be many moving “pieces and parts” to establishing a secure environment for your home. Every house is different, based on the number of devices, users, needs, and desires of the homeowners. In some cases, the home is also the “home office” so it must also consider security measures that will protect business related data.
In summary, we have provided our “top 10” list of considerations and recommendations to secure your home network. These 10 review items will get you started, but do realize that most home networks today are more complicated and may need additional attention in order to secure it properly (without taking away your ability to function).
1. Change the name of your router: Change your router to a name that is unique to you and won’t be easily guessed by others.
2. Change the pre-set password on your router: When creating a new password, make sure it is long and strong, using a mix of numbers, letters and symbols.
3. Review security options: When choosing your router’s level of security, opt for WPA2, if available, or WPA. They are more secure than the WEP option.
4. Create a guest password: If you have many visitors to your home or service providers in your home, it’s a good idea to set up a guest network.
5. Use a personal firewall: Firewalls help keep hackers from using your computer to send out your personal information without your permission.
6. Keep antivirus updated: New malware signatures are found everyday, so keeping as current as possible is important.
7. Back it up: Protect your documents, music, photos and other digital information by making an electronic copy and storing it safely.
8. Avoid risky websites and pop-up ads. Even if you think your antivirus is up to snuff, it is simply not worth the risk.
9. Understand and be able to identify phishing attacks. Educate yourself on what phishing is and what phishing attacks look like.
10. Privatize all of your social media accounts and do not accept “friend requests” from people you do not know or trust. Oversharing on social media is one of the main ways hackers and other threat actors gather information used to either create phishing attacks or otherwise attempt to breach your accounts/networks.
Technology can be challenging - and seems to change every day. Be sure about the integrity and security of your home network by conducting a self-review or enlisting the assistance of a trusted consultant.
Recommendations Cloud Insecurity
Almost everyone uses some kind of
Cloud-based computing in one form or
another. But if you ask any of your
service providers – “Where exactly is
your cloud? …and where, physically, is
my actual data stored?” – you will
probably receive a lot of blank stares
and no clear answers. And, as cloud
services expand, even more
information will be available to the
hacking community.
Many security specialists are seeing
security holes and risks with storing
data in the cloud. For example,
HP Fortify found an “alarmingly high
number of authentication and
authorization issues along with
concerns regarding mobile and cloud-
based web interfaces.” Under the
category of insufficient authentication
and authorization, the HP researchers
found:
- 100% allowed the use of weak
passwords.
- 100% lacked an account lockout
mechanism that would prevent
automation attacks.
- 100% were vulnerable to account
harvesting, allowing attackers to guess
login credentials and gain access.
7
Mindstar Security & Profiling specializes in security solutions for family offices, high profile/high net worth executives, and their families. Our customized focus includes the security trifecta of Internet/Social Media Safety, Physical Security and IT Security. 1001 Sycolin Rd SE, Suite 1A Leesburg, VA 20175 Phone: 703-404-1100 Fax: 703-404-5549 www.mindstarsecurity.com E-mail: info@mindstarsecurity.com
Recommended