With a large amount of confidential and/or proprietary information residing on and flowing through a corporation’s network, organizations put a lot of effort into ensuring that information stays confidential and remains accessible. For example, they may utilize some form of Network Access Control, which only allows authorized devices to connect to the network, perform vulnerability scanning in-house, or have an external cybersecurity company such as SureCloud perform security testing on the corporation’s assets. Efforts will have been taken to ensure all networks and devices are secure, and information can only be accessed by those who are authorized to access it. All of which are very sensible and recommended best practices.
With working from home becoming the ‘new normal,’ that same corporation now has a distributed network that goes all the way to their employees’ home network. A network that the corporation has little control over and for all intents and purposes may be completely insecure.
While corporations cannot take control of these home networks (short of supplying employees with corporate hotspots anyway), what they can do is give advice to their staff about the best steps to take to secure their home network.
Although some remote working users may have very secure home networks, the owner having invested their own time and money in order to provide themselves that assurance. However, home networks like this are likely to be in the minority, and this advice won’t be directed at them. These 5 tips are aimed at the majority, who most likely have a major-brand ISP supplied wireless router with the default settings.
This encryption makes your communications with the router unreadable by other persons ‘sniffing’ the packets from the air. Some of the encryption types available have been around since the early days of wireless networks and are now easily broken. Routers may call the encryption they support by different names; the following table aims to illustrate safe and weak home wireless encryption protocols:
|Safe||WPA3 or WPA2. May be labelled something like WPA2-PSK (AES) or WPA3 (AES).|
|Weak||No encryption. WEP, WPA, WPA1, WPA2 with TKIP and WPA/WPA2 or Mixed Mode.|
If there are no good encryption protocols to choose from, then be mindful that even weak encryption is better than no encryption. Though that said, if this is the case, then it is probably time to update your wireless router.
Make sure that the password to your wireless network (sometimes called a Pre-Shared Key or PSK) is secure. If an attacker is able to guess or brute-force the password to your wireless network, which involves trying many thousands of guesses in an automated attempt to find the correct password, then they are able to join it. Once joined to your network, the attacker would be able to search it for vulnerable devices as well as view the traffic from other devices on the network (excluding wireless network using WPA3).
When choosing a password, it is good practice to not use dictionary-based works or mutations of dictionary words (e.g. SureCloud > 5ur3Cl0ud). To use as many special characters (i.e. not numerical or alpha) as possible and to make the length of the password at least 12 characters long.
Another element of keeping the password secure is knowing who has access to it, and therefore your network if you don’t know who exactly is connecting to your network, it’s probably time to change the password to something new.
Read my password blog here.
The Administrator password allows a user of the network to access the setting of the router and change them. This tip only applies if the password is already something easily guessable, such as the name of the ISP, the name of the manufacturer of the device, ‘default’, or ‘admin’. Some modern routers use more complex default passwords, which are not necessary to be changed as they are not easily guessable.
Many ISP routers now do this automatically, by downloading the firmware, installing it and rebooting the router in the dead of night. But not all routers will do this. You should be able to access the upgrade options by logging into the router with the Administrators password and looking for the upgrade, update, or firmware option. Consult the manufacturer or distributor of your router for instructions on how to best do this.
This means installing updates on your computers as they come in, changing default passwords on any smart devices which may be connected, ensuring that anti-virus software is running on all computers, and try to be somewhat sensible about what is downloaded and installed.
The FBI has recommended that Internet of Things (IoT) devices such as security cameras and smart devices are not kept on the same network as the more sensitive devices such as personal and work computers. While this is indeed sensible advice, it’s not feasible to expect the average home worker (not a network security expert) with standard consumer networking equipment to be able to do that.
Ultimately, for organizations, it comes down to what lies in their sphere of influence. They have limited influence over a user’s home network, but they can offer guidance to employees who will hopefully be listened to. What businesses can directly control is their own equipment and procedures. Therefore, I would recommend assuming that an employee’s home network is fully untrusted and full of malicious actors while ensuring that the corporate equipment can operate securely in such an environment.
Best of luck!
Check out our fireside virtual conversation on how to ‘Secure Your Cyber Baseline For The New Normal’ with Ian Glover (CREST) and our Risk Advisory Practice Director.
SureCloud is a provider of cloud-based, Integrated Risk Management products and Cybersecurity services, which reinvent the way you manage risk.SureCloud also offers a wide range of Cybersecurity testing and assurance services, where we stay with you throughout the entire test life-cycle from scoping through to vulnerability discovery and remediation. Certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (underpinned by a highly configurable technology platform), SureCloud acts as an extension of your in-house security team and ensures you have everything you need to improve your risk posture.