Looking for Part I? - Link: Security Mistakes Everyone Makes: Improving Personal, Mobile and Home Network Security - Part I
I hope you enjoyed Part I. Let's keep going.
Mistake: Not using Anti-Malware
Users of Windows 10 may actually have this down. Windows 10 includes Microsoft Defender by default and there are many 3rd-parties that cover Windows as well.
If using OS X, there might be a perception that viruses do not pay attention to Apple products. Unfortunately, there are viruses that target Mac. Several major anti-virus vendors support OS X including some with free options.
Mistake: Auto-connecting to Wi-Fi
When connecting to Wi-Fi, your device may ask if you want to "Auto-Join this Network", "Remember this Network", or similar. However, more and more devices automatically default to auto-connect. In either case, it is best not to configure auto-connect to Wi-Fi access points, especially when those access points are unlikely to be seen again.
When a device is set to auto-connect, the device will connect to any Wi-Fi access point that happens to have the same "name" aka Service Set Identifier (SSID) if the SSID has a higher priority than other available access points. This may result in the device sharing information with networks that is should not or at least not right now.
Default options are attractive. Some users will resist disabling auto-connection for access points they use frequently, but might still be convinced to avoid auto-connecting to access points they rarely encounter.
Mistake: Using Insecure Wi-Fi
Public Wi-Fi tends to be insecure. The owner likely set up a Wi-Fi router with default settings or contracted a vendor, whose primary concern is rapid installation and ease-of-use, to install an access point. Whatever the case, public Wi-Fi is often literally public. For that reason, it is best to do important business on a trusted, secure network.
Given that just checking email is important business nowadays, users may view waiting for a secure network is impractical. There is a risk but not all is lost. Security can be improved by following best-practices.
Be careful to use end-to-end encryption at everyone opportunity. Usually, this means browsing strictly over HTTPS. Refer back to the discussion about encryption in Part I that talked about ensuring the browser always uses HTTPS.
Using a VPN can help with some keys issues but does not provide end-to-end encryption so is no substitute for using HTTPS. However, a VPN covers some important parts of the journey. VPN encrypts all traffic between you and the VPN provider including unencrypted protocols that would have no protection at all. This includes the extra vulnerable Wi-Fi connection. Again, using a VPN is not necessarily "safe" but it is "better".
Mistake: Configuring Insecure Wi-Fi
Note: You may be interested in the Home Router and Wi-Fi Security Tips checklist at Resources and Publications
Wi-Fi security can be complex, but basic security settings within reach of many homeowners. Some simple settings can improve security significantly.
Change the Administrator password on the router to a long pass-phrase of 15 characters or more.
Example: Frog.Cat.Bird.Dog.Horse
Disable remote administration so that the admin has to connect directly to the router or access point from inside the building in order to access the Administrator Console
Change the "name" aka SSID of the Wi-Fi access point to a unique value. Otherwise, any device that happens to have visited some access point with that same name may try to connect.
Set the password on the Wi-Fi connection to a long pass-phrase while trying to make the password reasonable to type on a mobile device. But let's be honest. It is difficult to keep folks from using auto-connect with their home Wi-Fi, so chances are they are not going to have to type the password very often. 15 characters is a good start.
Unless a better security mode is available, set the security mode of the Wi-Fi access point to WPA2 Personal using AES
Disable Wi-Fi Protected Setup (WPS)
Using a VPN can help with some keys issues but does not provide end-to-end encryption so is no substitute for using HTTPS. However, a VPN covers some important parts of the journey. VPN encrypts all traffic between you and the VPN provider including unencrypted protocols that would have no protection at all. This includes the extra vulnerable Wi-Fi connection. Again, using a VPN is not necessarily "safe" but it is "better".
Mistake: Relying on Someone Else's Router for Your Security
Many Internet Service Providers (ISP) set up a router, often with a built-in Wi-Fi access point, at your home or small office. The security of the router might vary but obviously, you are not the only one with access since the ISP maintains the product. Also, the ISP router may use insecure settings, weak passwords, or any number of issues.
You can leave the ISP router in place, but plug your own router into the ISP router, then connect your Wi-Fi access points and devices to your router. With your router secured and solely under your control, the connected devices are more secure. In addition, you have created a small "DMZ"; a separate network between the "inside router" and "outside router" on which high-risk or untrusted devices can reside.
For example, in the conceptual diagram below, the VOIP phone service is connected exterior router while personal devices are attached to the interior router.
It is more trouble to manage your own equipment but adds a fair amount of security if your equipment is configured well.
Mistake: Not Filtering DNS
Software programs and people usually do not remember the IP addresses of the Internet services they connect with. Instead, the service is given a friendly, domain name. Software, such as a web browser, can use the Domain Name System (DNS) to look up the IP address with the domain name as needed.
Some DNS service providers keep a list of domains associated with malicious activity or with content that you prefer not to be accessed from your devices. These DNS Sinkhole services block access by returning an IP address of 0.0.0.0 instead of the real IP address of the service. As a result, the device cannot connect.
Some DNS Sinkhole services do not allow the subscriber to choose what content is blocked. They block sites on the list they curate. An example is OpenDNS Family Shield which automatically blocks adult content and malicious sites. This type of sinkhole is simple to set up does not require registration.
More sophisticated sinkholes allow the subscriber to choose what content they would like to block. Subscribers configure the categories to block in an administrative console. For example, the OpenDNS Home product lets the user fine-tune the filter by category. Configurable sinkholes usually require registration and login to access the console, plus are more trouble than the simpler set-and-forget versions, but offer much more control.
What about the security of my company?
A security audit, vulnerability assessment, or penetration test can uncover security vulnerabilities in your network, web application, mobile application, and APIs then teach you how to address the issues so you can take action. Ellipsis InfoSec provides top-quality security audits, assessments, and penetration tests from a highly-certified, globally-recognized expert with many years of experience testing healthcare, retail, supply chain, and other Fortune 50 network, web, mobile, web services, and APIs. Please reach out to Ellipsis today for more information.
[Up Next: Home Network Security Tips checklist on the Resources and Publications page]
References
[1] Two-Factor Authentication - https://twofactorauth.org
[2] Windows Full Disk Encryption - https://support.microsoft.com/en-us/windows/device-encryption-in-windows-10-ad5dcf4b-dbe0-2331-228f-7925c2a3012d
[3] Windows Encrypting File System (EFS) - https://gallery.technet.microsoft.com/Step-by-step-guide-for-EFS-579512a3
[4] Mac OSX File Vault - https://support.apple.com/en-us/HT204837
[5] Android Device Encryption - https://pixelprivacy.com/resources/encrypt-android/
[6] HTTPS Everywhere - https://www.eff.org/https-everywhere
[7] HTTPS Upgrade for Safari - https://apps.apple.com/us/app/https-upgrade-for-safari/id1447929601?mt=12
[8] Windows 10 Automatic Update - https://answers.microsoft.com/en-us/windows/forum/windows_10-update/how-do-i-setup-windows-10-to-automatically-install/96b72d83-cbc6-48e5-b361-f0a1ae9dcdd6
[9] Mac OSX Automatic Updates - https://support.apple.com/en-us/HT201541
[10] Mac OSX Updating Installed Applications - https://www.macworld.co.uk/how-to/how-update-all-your-mac-apps-3660793/
[11] Patch My PC - https://patchmypc.com/home-updater#download
[12] How do I configure Windows Update to include Office 2010 - https://answers.microsoft.com/en-us/windows/forum/all/how-do-i-configure-windows-update-to-include/b9dcd770-0b75-4de0-8cf7-680dd8b07539
[13] Ubiquity - https://www.ui.com/products/
[14] PiHole DNS - https://pi-hole.net/
[15] OpenDNS - https://www.opendns.com/home-internet-security/
[20] TOR Privacy Browser - https://www.torproject.org
[21] YubiKey and Windows - https://www.microsoft.com/en-us/microsoft-365/blog/2018/04/17/windows-hello-fido2-security-keys/
[22] Android Enterprise Recommended - https://androidenterprisepartners.withgoogle.com/devices/
Comments