written by, Nicholas Caron
Securing your devices in this era of connected everything can quickly mount to an insurmountable quagmire. You, the impromptu system administrator, are thrust into an anxiety-inducing position of learning of endless new threats to your home devices, all while trying to please your increasingly annoyed housemate, who would just like to add their WiFi enabled blender to the network. The deeper you dive, the more confusing the terms are that are thrown back at you. You may grow to wonder, "Is any of this worth it?".
To that I would say, "Yes!", although information security professionals' guidance to the lay person could use some work. Despite our overflowing advice to keep people safe, we often neglect threat models - the potential threats that you would actually be exposed to on a day-to-day basis. We cast shadows of large, scary sounding vulnerabilities over our users. However, at home, you could be far better protected if you knew how to prevent your small child from clicking a malicious advertisement.
This post will attempt to thwart this common shortcoming in presentation. Instead of going too deep on one particular subject, we'll break things down into a few common categories and give 3 small tips for each to better secure your home. Even if you only have time to implement a few of these suggestions, any additions you are able to make will give you a clear step up in your home security posture.
The Golden Rule of Home Security: Device updates
Much of security can be intimidating, and that's okay, it's certainly overwhelming for us professionals as well! If you do nothing else, keeping your devices up to date can not only protect most of your devices in a single swoop, but it can also help continue to shield you from various novel horrors of the internet.
1: Automatic updates
Without a doubt, always enable automatic updates on every device, operating system, and piece of software that gives the option. While you may hate the way things look in new major updates to your favorite applications, by not opting in to automatic updates, you directly abandon remedies for potentially devastating problems. Without these updates, the places where you are most insecure will remain forever insecure, so please be sure to enable this critical setting. Be sure to check the settings for your various devices for more information.
2: Manual Updates and End-of-Life Products
If you want to take this a step forward, feel free to research how to regularly update things around the house that may require manual intervention. Things like your router firmware may require directly logging in, (more on that later), and various Internet of Things (IoT) devices will often require you mulling around their app to initiate an update.
All good things must come to an end however, and more often than not, your favorite connected products will reach a point where they are no longer given updates. This is known as "end-of-life." You may get lucky and be notified of this occurrence, but if not, it's a good idea to search the web occasionally to see if your devices are still receiving updates. If this is the case for something you own, the only unfortunate recommendation I can give is to remove it from the internet permanently. Without a robust community to provide unofficial patches, and the know how to apply them, or the means to defend yourself against unpatched novel attacks, you will become permanently vulnerable.
3: UEFI Updates for Desktop and Laptop Computers
Perhaps one of the more recent, yet critical versions of hidden manual updates is the UEFI firmware update. This protects you from particularly nasty kernel-level attacks, where some of the most critical code to keep your machine running executes, such as the infamous Specter/Meltdown vulnerabilities. Should you choose to tackle this final option, be very careful. A failure or interruption in firmware updates will typically leave your computer's motherboard incapable of function, and likewise your entire computer. Ensure you consult your motherboard maker's website on direct instructions on how to perform this activity. That will typically show up on the splash screen when you boot your computer, but before your operating system loads. You should also have some kind of backup storage on hand to load the update, (a USB stick works fine to this end), and if you want to be extra safe, consider investing in a small, uninterruptible power supply to ensure the update succeeds in case of power fluctuation.
The router is often the first stop you'll make on the way to the internet at large, and the last stop malicious entities will have to traverse before having direct access to your devices. This leads it to be a natural place to continue our journey of securing our home!
1: Change your default WiFi and administrator passwords
Default passwords are a pox upon internet connected devices. It should always be assumed that if a password exists as some sort of default for a device, that an attacker will have knowledge. Changing your defaults is typically done by directly logging into the router itself, though some modern routers will allow you to change this information by using an included app, (for the former, you'll often see the admin login information on the outside of your router). Different routers use different private network addresses that you can access via your browser. You can use this as a quick guide if you're not sure where to go: https://www.techspot.com/guides/287-default-router-ip-addresses/.
2: Put "untrusted" devices on a "guest" network
Most modern routers will have the option to add a guest network to your suite of networks, which you can use for far more than a visitor WiFi. Despite speaking to the same router, devices on different networks will be unaware of each other, making it an excellent means of partitioning your networks into devices you can reliably secure, and devices that may be harder to keep track of. A good example of things to put on your "guest" network are things like smart devices and printers, which often are known to be harder to secure properly. Some modern routers will have a guest network option that can be simply enabled. However, if not, you may need to either create one if able, or use your 2.4GHz network as this sectioned off network, (if you have one network called NetworkName-5G, and another called NetworkName, use the latter). Otherwise, if you have a particularly old router with only one network, and no other means of changing things around, consider upgrading to a new one! Not only will you be more secure, you might be leaving internet speed on the table when combined with modern internet packages.
3: Configure the advanced settings on your router to match your home network
While this may appear obvious, one can easily forget, or may never even realize, that there are additional settings on your firewall that users can tweak to meet their own needs. We won't linger too long here given that these settings are very much router dependant, but here are a few examples of options you can set to get you started:
· Turn off any settings you don't use: this includes WPS, UPNP, port forwarding, remote management, DHCP, etc. Less enabled features equals a smaller attack surface.
· Configure your default DNS servers, which provide your devices with computer-readable addresses for various named services such as your favorite URLs. There are plenty of reasonable choices here, such as 188.8.131.52 (Google managed DNS).
· If you're really looking to lock things down, and don't mind a learning experience, see if your router comes with a configurable firewall. You'll likely need to read up on a few subjects to truly understand what's going on, such as IP addresses, subnet masks, and TCP/UDP ports, but can subsequently put hard controls on what enters and leaves your network.
1: Choose a trustworthy browser
Your initial choice of browser is probably one of the easiest ways to either give yourself a healthy amount of protection, or expose yourself to problems. Generally, most websites support Firefox and Chrome, and I'd heartily recommend using either as a default browser. Microsoft Edge is also becoming a viable choice for Windows users, and Safari is a fine default for Macs, though I would avoid Internet Explorer at all costs; many websites and web frameworks simply no longer support it, and as such, it's probably best to leave it behind.
2: Get acquainted with a password manager and 2-factor authentication
Ok, these aren't exactly browser related, but given they are perhaps two of the most immediately relevant and potent security tools you can use while online, I'd be remiss to not to suggest this here.
Password managers can seem scary at a glance; the fear is that you have a single password between attackers, and access to every little aspect of your life. In reality, these systems do wonders for your security, since with one very strong password, you can have other unique and secure passwords for anything that may require one, all safely and securely kept in a private password vault that others can not pry into. While sticky notes and hidden notebooks full of passwords may appear to fulfill the same purpose, you also run the risk of those passing by physically from gaining your logins as well. When generating passwords while using these apps, be sure you're set up for sufficient complexity: use letters, numbers and symbols, and use at least twelve characters. If you're looking for a suggestion, OnePass is generally the recommended standard, but LastPass may also be appealing as a secondary option due to options such as family password sharing.
A password alone no longer serves as a perfect identifier. To get closer to that ideal, we can also enable 2-factor authentication (2FA) on both our password manager and all supporting applications and websites. 2FA gives the added benefit of its namesake by providing a secondary code to prove that you are in fact who you claim to be, by possessing a special token. The most common forms of 2-factor are text message-based codes and app-based authentication, though you can also purchase physical 2-factor specific devices such as a Yubikey, if you wish to go the extra mile. In general, I would strongly suggest using authenticator app style 2FA if you are in possession of a smartphone over the text option. Text-based authentication can be ok in a pinch and if nothing else is available; however, be aware that various types of direct attacks on telecom systems are often used to subvert this control.
3: Install an ad blocker
Malvertising has infamously been a pain point for privacy and security concerns alike. Thankfully, there are various ad blockers that can ensure your browser is less likely to render this malicious content. I'd personally recommend U-block origin: a free add-on that can be found in various browser app stores. You even have the option to disable this feature on websites you trust, allowing you to support any particular sites which you may want to ensure receive fiscal support through your ad viewing.
Computers: From PCs to Smartphones
The evolution of phones from pure communication devices to handheld computers comes with a perk: we can boil down our advice for both into a single section! Some of the best ways to protect each involve the same security principles and differ only in slight changes of implementation.
1) Give your device a solid password.
This should come as little surprise at this point, but stopping attackers from simply logging in with weak authentication is going to be the best way to protect yourself in the majority of cases. Unfortunately, this means avoiding many conveniences when it comes to password options. Pattern based logins such as those on Android phones are very easy to shoulder surf, meaning an observer can often quickly memorize your password by watching you enter it. Short numeric pins are also not optimal, as they often lead to easily guessable combinations, and offer a very short space of potential passwords to use. Biometrics are perhaps the most hotly contested form of authentication, and suffer from some particularly interesting flaws, from fingerprint scanning being imperfect, to being the most readily vulnerable to physical coercion.
It's hard then to argue against the tested methodology of the alphanumeric password. Use the same advice I gave above for password managers here, and your physical device logins should be equally as safe.
2) Actively manage your permissions
The concept of "least privilege" is one of the strongest tools in the security design toolbox. This concept centers on giving each user only the exact amount of permission they need to perform their specific task. You should be ensuring you keep to this principal with the applications running on your machines, as it limits the tools of enterprising attackers if they manage to make your way onto your devices. Both computers and smartphones have ways of managing different types of permissions and should absolutely be researched further if not listed below.
Android and Apple phones have made this process relatively trivial; upon installation of new applications, both will provide prompts asking if this particular device should be able to access differing functions on your device. Always take your time with these prompts and be sure to either disable a permission if you don't think the application needs it or choose the option that most limits the application's access otherwise. A good example of this is the new feature of only allowing selected photos to be accessible to apps in IOS 14; simply select the photos you want accessed (you can even choose an album to keep things organized!) and keep the rest hidden away safely. Your settings screen should also provide the means to make changes later on an app by app basis, should you change your mind on any particular permission choice.
Full-fledged computers tackle this issue slightly differently, as they often rely on the user/group permissions structure. This focuses on how your permissions are tied to aspects of your specific user account. If given free rein to run with administrator permissions, an attacker can essentially do whatever they want on your system with little recourse. Consequently, keeping them bound to a user account with limited permission may keep them from causing further harm, such as installing additional malicious software on your machine as part of an attack chain.
Windows machines do this via UAC, an optional setting that should absolutely be cranked to its maximum setting, as it forces applications to run at user-level permissions by default and gives manual prompts for any situations where they need additional permissions. Typing UAC in the Windows search bar should take you to this option: be sure to set it to the top level of "Always notify me." Macs are closer to their phone counterparts, where no manual intervention should be required to enable permission prompts but be sure to again pay attention whenever prompted to what app is requesting greater powers. The act of clicking through permission requests can be tiresome for either case but keep in mind that this keeps the power of your apps in your control, rather than leaving it to the whims of the applications themselves, or worse, malicious third parties.
3. Backup Frequently!
Backups may not immediately come to mind as a security control, but having the ability to go back in time if your system is left in bad state can save you from debilitating ransomware and various other undesirable situations. Fortunately, every system we've mentioned so far includes its own means of backup: Macs have Time Machine; Windows has file history and system image backups; and Apple and Android phones have their own built-in backup functionality. Generally, I would recommend the purchase of an external drive to connect as a backup target, as this allows you to keep all your different system images safe on an external device. I would also recommend setting a backup schedule if possible, ensuring you have a solid repository of images to step back to in case of failure; once a week is my general recommendation but feel free to adjust based on need, usage, and storage limitations.
This list is by no means exhaustive of everything you could do for your home network, nor does it cover every device you could plug into a wall socket. But again, this is very much the point. Security can be an overwhelming venture if you attempt to solve every problem; you need to map your risks for what you're most able to address. With these suggestions, I hope that you will be able to feel a bit more confident in your home security, and perhaps even find the curiosity to explore deeper to make and keep your household secure for years to come!