As more and more employees are working from home, and may continue working from home even after Covid-19 restrictions let up, your home Internet as well as your home wireless internet access is going to be used more frequently by you, and everyone else in your home. That is why it is more important today, more than ever before, for you to ensure that your homes access to internet is secure and functional. This guide provides you with some background, resources, and best practices on getting that done. This isn’t going to be a technically detailed post, but will almost certainly have something for both the technical user and the beginner. Let’s dive in.
Your Home Internet Network – An Overview
Simply put, your internet connection first comes into your home via a router or a modem, this is often referred to as just simply the gateway. It’s the gateway between your home’s network, and the rest of the Internet. A router is used to distribute the connection to devices that are connected to it. A Wireless Access Point (WAP) is a device that allows devices to connect to your home network wirelessly. You may have a router and wireless access point all-in-one. That type of device may also be known as a wireless router, or a wireless modem.
Risks of Inappropriate Security on your Home Internet
The objective is simple. Gain access to a victims home network so as to be able to connect to that network as any other user. Once the malicious actor has gained access to your home internet access their are a variety of tactics and techniques that can be used to either attack the devices on your network, or use your network/devices to commit a cyber crime. Here are some of the risks of a malicious actor having access to your home’s internet connection:
- Your internet connection can be used to perpetrate a crime. Since your Internet Service Provider (ISP) has your name and address associated with the internet connection to your home, you could be held liable.
- A malicious actor who has access to your home’s internal network has the ability to “sniff” or record network traffic being sent between devices. This may include passwords and banking information that you are entering into the web browser of your laptop.
- A malicious actor may gain access to other devices on your network and steal information and files.
- Your home devices are also at risk of being infected with ransomware or other types of malware. Ransomware is the most common risk with a malicious actor gaining access to your network. Once they’ve taken whatever data they want to take, they can infect your device(s) with ransomware and demand a ransom for safely unlocking your files.
How do Malicious Actors Gain Access to Home Networks?
- Network devices that are still using default usernames and passwords are a common entry point.
- Wireless networks that are not setup with a strong authentication method, such as WEP, are susceptible to man-in-the-middle attacks.
- Outdated software on your home devices, and on your network devices can introduce unpatched vulnerabilities. This allows attackers with means and know-how to gain entry to your network through various avenues.
- Stolen credentials. Password reuse is a major problem today. Passwords that have been stolen can be reused by attackers who use brute-forcing and password stuffing attacks to find insecure accounts online.
- Man-in-the-middle attacks are easy to perform with a rogue access point. A malicious actor creates an identical wireless network to your own. When a guest or resident of your home accidentally logs in to the rogue access point, instead of your own; they also record the password that was entered by the unsuspecting victim.
- Stolen/lost mobile devices often contain a copy of the wireless connection information including password.
So, What Can I Do?
Don’t worry. You’ve taken the first step; learning more. Now, let’s discuss several points that will help you work towards a more secure home internet connection.
- Knowing Your Attack Surface
- Security For Network Devices
- Security For Personal Devices
1. Knowing Your Attack Surface
Knowing your attack surface, or in other words knowing the different parts of your home’s network that could be attacked by a malicious actor. Create a simple list using the categories below of your home’s attack surface. Here is an example to show you that it doesn’t need to be complicated. I’m simply recording a device name that I choose, the device location, and whether it is wired or wireless.
|Device Name||Device Location||WIRED/WIRELESS|
|Bell Aliant Modem||Basement Storage Room||WIRED|
|Mom’s iPhone 11||Roaming||WIRELESS|
|Dad’s Android Tablet||Roaming||WIRELESS|
Here are some device categories to get you started:
- The individual devices on your network including laptops, desktop computers, phones, and tablets.
- Network devices, including the modem or router, that make up your home network.
- Your Wireless Access Point’s (WAPs).
- Smart devices and other Internet of Things (IOT) devices.
2. Security For Network Devices
Every Internet Service Provider (ISP) has a slightly different setup and uses different network devices. Unfortunately, it’s infeasible to provide a standard A-Z process for securing your network that is going to work for everyone. Instead, we’re going to give a list of recommendations, and details around those recommendations. At the end of the day it will be your responsibility to research and understand these recommendations to ensure that you are applying appropriate configurations for your individual situation.
Recommendations for home network security:
- Change the default name of your wireless network, known as the SSID, and ensure that it doesn’t contain anything that would associate to you, anyone in your family, or your home.
- Really Bad: JacksonFamilyat9902WhistlerSt
- Bad: JacksonFamilyWifi
- Better: WhistlerStWifi
- Best: SomeoneIsAlwaysHome
- Change the default login on your network devices, such as the router provided by your Internet Service Provider (ISP). This should include changing the default administrator username, if able.
- Disable logging into your internet router from remote internet computers. It can still be accessed by you from inside of your network.
- Use WPA2-PSK or WPA2-Personal as the authentication method and AES as the type of encryption when setting up your home’s wireless access. TKIP encryption can be used if, for some remote reason, AES gives you issues or isn’t available. There is no reason to use any authentication method other than WPA2-PSK.
- Disable SSH/Telnet access on your modem/router. These protocols allow for remote command line access to your device and are not required for the average home internet user.
- Disable Wi-Fi Protected Setup (WPS). This technology provides a simpler method for connecting devices wirelessly, but is also rarely ever used.
- MAC address filtering can be used to explicitly restrict access to your network to devices whose MAC address is contained on the access list that you define.
- Enable the built-in firewall on your router.
- Setup a separate guest wireless network for house guests. They can access the Internet, but can’t access anything inside of your network.
- Setup access schedules for devices on your network that don’t required 24/7 Internet access.
- Modify the Domain Name Servers that your router is using to translate IP Addresses (ie. 18.104.22.168) to Domain Names (roguesecurity.ca).
- Using a Virtual Private Network (VPN) encrypts your internet communications and makes it difficult for a malicious actor who may be “sniffing” your Internet communications for passwords and other information. Many routers allow the easily configuring of many mainstream VPN providers.
- Change the default Domain Name Service (DNS) subnet address on your network router. Instead of your local network being 192.168.2.1/24; change the third number group to anything between 0 and 254. For example your local network IP address range might be 192.168.200.1/24.
- Place Internet of Things devices on a separate subnet then personal devices.
- Adjust the transmit (Tx) power of your wireless connection. Limiting the distance that your wireless travels will also limit how far a malicious actor can be to interact with your wireless internet.
3. Security For Personal Devices
- Ensure that devices on your network have a software anti-virus (AV). Focus on your Windows computers first, and simply use the built-in Windows Defender and Windows Firewall options.*
- Devices with software firewalls should be enabled. Windows Firewall is a perfect option for Windows users.*
- Devices should have separate Administrator and Non-Administrator accounts, and the Administrator account should only be used to perform administrative actions.
- Virtual Private Network (VPN) software is also available for most operating systems and can be used on individual devices if whole-home VPN isn’t desired.
- Setup devices with automatic updates enabled.
***Note: Mobile phone AV and firewall software is often bloated and bogs down older devices. Mobile malware is far less advanced and less common than Personal Computer (PC) malware. Our recommendation is to avoid both AV and Firewall software on mobile phones, unless its built into the phone’s operating system.***
Congratulations! You’ve successfully done something that so many people do not; you’ve taken steps to make it more difficult for a malicious actor to gain access to your home network. You rock!
Stay tuned for a really, REALLY, big update on this. If you’re continuing to having cybersecurity issues, or are unable to apply some or many of the recommendations above, and would like further information on how Rogue Security can help, please contact firstname.lastname@example.org.