September 28, 2021
Good morning, everyone!
This week’s critical vulnerabilities:
Patch All the Things!
Cyber crime continues to explode during the current pandemic, and working from home is a major reason why. A recent security audit at NASA found that “the pandemic and work from home have greatly increased the cyber attack surface and attack attempts.” So let’s talk about just one aspect of improving security in your home office this week:
Securing your wireless router
(1) Change the default admin password
I’ve talked about this before. Whenever you buy a new device, whether it’s a wireless router or a smart camera or a “connected” appliance, whatever, the first thing you want to do is change the default password. Most botnets start searching for new victims by looking for devices that are using the (known) default passwords. You can find the default password on a sticker on the device, or on a card in the box, or you may have to look it up on the manufacturer's website.
(2) Enable WPA2 encryption & disable WPS
Remember, encryption is your friend! Without encryption, anyone with a laptop and $30 worth of electronics can eavesdrop on your Internet connection.
WPA2 is the most secure standard currently available. WPS has a major security flaw that cannot be fixed.
(3) Set a strong password (security key) for connecting devices
(4) Disable remote management over the Internet
Most devices will have a checkbox somewhere in the settings with some variation of “remote administration” on its label. Disable this option (or enable “block remote administration” if that’s your label). Without remote administration, your device can only be configured by a computer on your home network, not from the Internet at large.
(5) Log out after configuring the router
In fact, get in the habit of ALWAYS logging out of anything, including websites, when you are done for the moment. Think of it like a light switch – walk into a room, turn on the light, walk out the door, flip it off. Log into websites to do stuff, then log out when you are through. If you just close the browser window without logging out of the site, you are leaving open an authenticated session. So why does that matter? Session hijacking:
an attack where a user session is taken over by an attacker. A session starts when you log into a service, for example your banking application, and ends when you log out. The attack relies on the attacker’s knowledge of your session cookie, so it is also called cookie hijacking or cookie side-jacking. Although any computer session could be hijacked, session hijacking most commonly applies to browser sessions and web applications.
(6) Register it with the manufacturer
I know it’s old school, and most people don’t think to register their products because warranties don’t mean that much these days, but there is one other good reason to register your product: if a security flaw is found, the manufacturer can notify you. For example, in the case of Mirai‘s massive DDoS attacks in 2016, many of the cameras used were from a single manufacturer, and exploited a vulnerability in the firmware. The manufacturer released a firmware upgrade for the newer cameras, and offered free replacements for older cameras that couldn’t be upgraded. Many people were completely unaware of the situation, however, and the manufacturer had no way of knowing who had purchased their products. Accordingly, many of those compromised devices remained in use by botnets until they died and were replaced.
This is of course only one aspect of securing your home network. Using network segmentations is also an important piece. And there are more things I can add to the discussion … another time!
Talk to you again soon!
Security Awareness Training Available Here, There, Everywhere!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺