In response to the COVID-19 pandemic, organizations are quickly equipping their employees with the technology and devices they need to work from home. Unfortunately, this shift also opens the door for hackers to compromise devices even more easily than before.
Work-from-home strategies have helped organizations maintain business during an unusual time. But because employees’ home networks are likely insecure, sensitive company data can be compromised inadvertently. By taking three proactive steps – router management, Wi-Fi network hardening, and segmentation – administrators and employees alike can improve the security of home networks
What’s in a network?
Home networks might seem simple at first – as just a computer connecting to a router gateway that provides access to the internet and corporate resources. But in reality, a multitude of additional devices typically share that network. Many home networks include:
- Shared personal computers
- Gaming consoles
- Mobile phones
- Printers and multifunction devices (such as combined scanner/fax/printers)
- Neighbors’ and friends’ devices
- Internet of things (IoT) devices including but not limited to:
- Smart TVs
- Lightbulbs and switches
- Voice-controlled speakers
- Doorbells, locks, and cameras
- Alarms and monitors
- Thermostats
Many people forget how many devices they’ve attached to their home networks, including the smart devices that they’ve integrated into their lives and the devices of previous visitors. As the number of devices increases, so do the risks associated with compromise of home networks. Each device can now be a point of attack for potential cybercriminals.
In recent years, IoT devices in particular have been easy targets for attackers to feast on. In fact, those who are so inclined can access code repositories dedicated to hacking IoT devices, and they can even take legitimate courses meant for IT professionals to learn how to compromise the devices.
Beyond the types of devices residing on a home network, the configuration of the network and the features enabled also play a part in home security. To counter the risks inherent in using the internet, home network administrators can take three steps to vastly improve their security and prevent cybercriminals from gaining access to an organization’s sensitive data.
1. Manage routers
What exactly is a router, and how does it affect a network? Briefly, a router is the device that sends traffic between a computer and the internet. In home networks, this device generally also acts as a switch to handle local network traffic and as a wireless access point to facilitate the Wi-Fi network. It can be used in line or combined with a modem (the device that translates the signal received from an internet service provider), and it is also referred to as a gateway. Because of routers’ central role, users take steps to introduce security controls and implement best practices – or harden – their routers.
Update, then update again
Routers clearly do more than just route traffic. In fact, the router is usually the central management point for most simple home networks. Therefore, routers are a critical point of focus for both protecting and hacking a network. The problem is, regular updates often neglect routers. Home network administrators should make sure to update their routers and then schedule a time for the routers to automatically install updates and restart going forward (where supported).
Complicate the credentials
To make changes to the router, the home administrator must first log into the router management interface with the administrator credentials, which are likely written on the device. If the credentials can’t be found, they can likely be identified by searching online via the device brand and model. This means that anyone on the internet can find those credentials and, given the chance, can use them to log into the router. Once attackers achieve that level of access, they can do any number of things, including phishing for credentials via a man-in-the-middle attack, joining the device to a botnet, launching a ransomware attack, and mining cryptocurrency. The fix to prevent all of this is to change the default administrator credentials to something long and complex that can’t be guessed.
Set limits
Another way to prevent router compromise is to limit internet-facing services, including the remote management interface. Doing so will prevent potential attackers on the internet from brute-force guessing administrator usernames and passwords. For adventurous administrators who wish to administer remotely, the service can be left enabled if multifactor authentication (MFA) is in use. If MFA is unsupported, IP-based restrictions should be put in place to allow logins only from trusted locations. Removing unsupported MFA and other services that are running and accessible from the internet can reduce the attack surface that hackers must work with.
Disable features
Additional features to address include disabling universal plug and play (UPnP) and port forwarding. UPnP is a feature originally designed to help internal systems such as gaming consoles to open up ports to communicate with services they need for internet functionality. However, this feature can be abused by attackers to open doors to home networks. Similarly, port forwarding directs internet traffic straight through to the internal home network instead of stopping it at the router.
2. Harden Wi-Fi networks
It makes sense to harden the router, but what about the Wi-Fi network itself? Many home networks are configured with cutesy or punny names to amuse the neighbors, which is perfectly acceptable from a security point of view. What about the password, though? Is the password also related to the network name, in that it answers a joke or is easily guessed? Or has the password never been changed from the default that the manufacturer set? Is there even a password? In these scenarios, weak or nonexistent Wi-Fi passwords can allow cybercriminals to connect to home wireless networks, which is the equivalent of hackers plugging into the router or sitting next to users as they use their devices.
Create complex passwords
To keep would-be attackers away, Wi-Fi networks should be configured with long, hard-to-guess passwords. “Long” is a very relative term here, but when it comes to the computational ability to capture an encrypted Wi-Fi password and crack it, 16 characters is a great starting place as a minimum length. The 802.11x standard that governs wireless networks allows up to 63 characters for the password, and although that might seem like overkill, a password that long pushes its ability to be cracked from the realm of possibility to nearly impossible.
Update the encryption scheme
Another consideration when configuring the Wi-Fi network (and an option that will need to be selected upon configuring a Wi-Fi password) is the encryption scheme. A long password is much more easily cracked if the encryption scheme is outdated, so Wi-Fi networks should be configured with the strongest available encryption scheme. For many routers, that means using Wi-Fi protected access 2 (WPA2) or WPA3. If a Wi-Fi network is configured with wired equivalent privacy (WEP) or WPA, it is computationally much easier for hackers to try and brute force the possible passwords (keys) protecting the network.
Disable WPS
Other tips to protect home networks include disabling Wi-Fi protected setup (WPS). WPS is a misguided attempt at making the joining of a Wi-Fi network easier by bypassing the password. In two common configuration modes, access to the Wi-Fi network can be provided via a predetermined eight-digit pin or by pushing a button right before attempting to associate to the network. The pin can essentially be brute-forced, since the router will actually validate the first and second halves of the pin separately and the last digit is always a checksum, reducing the pin possibilities from 100 million (10^8) to a measly 11 thousand (10^4 + 10^3).
Needless to say, an attacker would very quickly be able to gain access to the network by exploiting WPS. Although seemingly basic, preventing attackers from accessing a home Wi-Fi network is key to protecting the devices on that network.
3. Implement segmentation
Considering all the devices that might exist on home networks, protecting the router and Wi-Fi network doesn’t necessarily address the risks of any of these devices being compromised. How often are the devices on a home network updated? Do the manufacturers even support those products and release updates as vulnerabilities are discovered? Especially when it comes to IoT, so many unknowns exist regarding the security status of these devices. The safest bet is to keep these devices as separate as possible, to in a sense “quarantine” them, which can be accomplished through network segmentation.
Segment, segment, segment
Segmentation is one of the best tools at a network administrator’s disposal for separating risky devices and protecting a network, and this holds true for home network administrators, too. Segmentation entails creating separate virtual subnetworks (subnets) for individual devices or device types and creating traffic rules so that only those devices that absolutely need to can talk to one another.
Segmentation can be achieved on most routers. For others, one option is to install new router firmware such as OpenWRT or Tomato where supported, which can provide more robust features and options to accommodate security concerns. For less adventurous home administrators, a simpler option would be to enable the guest network and allow only corporate devices on that network (or vice versa with the main network).
Identify and manage vulnerabilities
One last piece of advice is just to take care of all the devices on a home network. All devices should be updated regularly, antivirus scans should be run where allowed, and, ideally, there should be some sort of suspicious activity monitoring. One often overlooked solution is to use a vulnerability scanner on home networks. Organizations usually balk at the pricing for enterprise-grade and -scale vulnerability scanners, but many of those same vendors offer free vulnerability scanners for home use. Obviously, many of these solutions come with limitations on the number of devices or services, but they still cover the basics of identifying high-risk issues that might be lurking on home networks. Vendors that offer home vulnerability scanners are listed here. (Note that this list does not constitute endorsement or recommendation.)
- Nessus
- Qualys
- ManageEngine
- Retina
- Nexpose
- Microsoft Baseline Security Analyzer (MBSA)
- Bitdefender
Empower employees, protect the organization
When corporate devices and data enter a home network, the risks and therefore the responsibilities for protecting those devices and data shift. As the lines between home and work continue to blur, organizations will have to depend on their employees to exercise due care by taking reasonable steps to secure their home networks. Employees hold more of an organization’s security in their hands than ever before, so the need for competent home network administration is paramount.