Home Network Security Best Practices
M3 is dedicated to bringing you the most updated information in these uncertain times. We’ve tapped Tetra Defense, M3’s trusted cyber incident response partner, to offer insights into the world of cybersecurity – and more specifically, home network security – in the COVID-19 era.
Security measures are often dictated by their contexts. The barriers to entry on a bus are different than those of an airplane, the barriers to enter a large concert are different than that of grocery store, and the barriers that protect an office network of a large organization are different than those of a home network in a studio apartment. Before the major shift to working from home brought about by COVID-19, security measures were often appropriate when it came to one campus, one office, or one organization. Now, countless businesses have been operating with a remote workforce, leaving their once-protected networks behind in exchange for security measures fit for a residence.
As many organizations have either already shifted their in-person operations to working from home, or are planning to continue making the transition, a significant increase in cyberattacks has been reported. Work-from-home policies created a larger attack surface for threat actors — instead of breaking down the multiple barriers of an office or campus network, they now have a plethora of vulnerabilities to exploit via home network devices. Instead of sneaking onto a plane, threat actors now have to simply hop on a bus.
Cybersecurity may not have been front of mind for an individual within their home pre-COVID-19, but that perception is changing. Organizations and businesses now rely on home networks to continue their operations, and their employees have thankfully placed greater significance on their home network security. In response, bad actors have paid significantly more attention to the exploits that allow them access to a home network. Here’s how to keep them at bay:
Home Network Security 101
Something to keep in mind when using non-office, non-CISO-approved devices is that many connections come insecure by default. Your personal computer may have the capability to implement a firewall, but the setting needs to be turned “on.” Internet browsing options may have private windows, but they need to be manually launched. Your home router may have a password, but to strengthen home security at the source, the SANS institute recommends changing this default. Since this password is what protects the administrative account on your router (aka the account that can configure settings), and attackers can easily access a password provided by a manufacturer, it’s essential to change it.
When creating and managing passwords, President of Tetra Defense Cindy Murphy advises, “Use unique and strong passwords or passphrases (a combination of words such as “blue banjo lovely sky” or a sentence of your choice) for each online account or system you access. Use a passcode manager like LastPass or KeePass to help your memory if you can’t remember all of those words and phrases. We also strongly recommend that you enable Multi-Factor Authentication (MFA) any time it’s available. A few seconds of inconvenience can save a ton of headaches later if your credentials are ever compromised.
Security measures can be manually implemented, and passwords can be automatically managed, but a major security feature will come from the user. When working from home, your employees are your network’s head gatekeepers, and often the strongest (or weakest) barrier against a threat actor. Keeping their network credentials away from the wrong hands, off of hand-written notes that are left out in the open, and far away from neighbors or household members will improve security defenses and create good habits going forward.
Beyond Behavior — Technical Security Tips
Other vulnerabilities that threat actors commonly try to exploit come from outdated apps or tools. Tetra’s Vice President of Digital Forensics & Incident Response, Nathan Little notes, “Make sure your computer operating systems, mobile device operating systems, apps, and programs are all patched and up to date. Turn on automatic updates, and don’t dismiss notifications for updates out of inconvenience. Unpatched software can have numerous vulnerabilities ripe for exploitation.” To avoid anything from potential slipping through the cracks, automatic updates are highly recommended across devices.
This advice extends to a physical home router itself, with Nathan adding, “Most people tend to ‘set it and forget it’ when implementing a home router, but outdated hardware follows the same principals, and yields the same vulnerabilities.”
Another common exploit comes from arguably one of the most common tools for remote workers: Remote Desktop Protocol (RDP). RDP is a slick solution for connecting remote staff to a workplace network — however, we frequently see externally-exposed RDP services used to launch ransomware attacks. When considering the risks of using RDP on the public internet, and the ease with which an attacker can hijack a connection, RDP becomes more of a problem than a solution. Tetra discourages directly exposing RDP to the internet, and to instead require users to log onto a Virtual Private Network (VPN) prior to accessing RDP. If an organization absolutely needs to use RDP without a VPN, they should be sure to enable MFA.
For those who are more technically inclined, Tetra also recommends the use of a Virtual Local Area Network (VLAN) in alignment with recommendations from the Cybersecurity & Infrastructure Security Agency. The VLAN provides virtual segmentation — it uses the same design principles as physical segmentation, but requires no additional hardware. Tetra Defense Director of Digital Forensics & Incident Response Drew Hjelm suggests, “If you have the technology and the skill (or can enlist the assistance of someone who does), separate your work, home, and IOT devices with segmentation such as a VLAN and separate wireless networks.”
Security Per Household
Just as security changes in different contexts, an individual’s mindset may also change. Being a passenger on a bus requires a different level of etiquette than on a plane. When in an office, surrounded by coworkers, and within an already secure environment, it may be easier to keep best practices in mind. When in your own space, surrounded by your own environment, it may be challenging to stay vigilant in the place where you’re used to letting your guard down. Despite the different setting, cybersecurity best practices still apply to the emails your employees open, the websites they visit, and the software they use in their office.
As organizations began to shift to working from home, a survey of 6,000 employees of small to medium-sized business reported only 34% of participants claiming that they had adequate instruction on how to properly use their personal devices to continue their job. What Tetra Defense recommends, as far as “instruction” goes, is to implement a VPN to access an internal environment, complete with MFA, and ongoing security awareness training to equip employees with the skills to spot scams before being tricked into “clicking here.”
It’s important for individuals adjusting to a work-from-home setup to recognize the humanity that can influence behavior online. In order to stay sane during this adjustment (and, subsequently, make the best decisions when considering home network security), Tetra’s team recommends the following:
- Separate a work environment from your normal home environment as much as possible.
- Reduce distractions where possible.
- Maintain a routine to stay on track.
- Take breaks to prevent burnout.
- Stay connected to your teammates by keeping your camera on when conducting meetings from home.
In the cybersecurity industry, there’s something new to learn every day. The most exploited vulnerability one month could become completely obsolete the next. While business as a whole may have shifted significantly towards remote working, that could change in the years or even months to come. The bottom line is this: no matter what new threats may emerge during this shift, it’s a comfort to know that the best cybersecurity practices still stand. By implementing these safeguards, you can not only strengthen your personal environment, but keep your work environment secure as well.