In the wake of Friday’s cyber-attack that has so far hit 150 countries, Ron Temske, Vice President, Security Solutions, Logicalis US offers up practical IT security tips to avoid homeworkers becoming the next significant IT security breach for your organsiation.
I don’t think I’ve met an executive globally, either through work or socially, who doesn’t spend some time working from home.
The US Bureau of Labour Statistics reports that some 24% of the labour force spends some time working from home. In the UK there 4.2m people work from home, and there is no reason to think the numbers are not significant in other territories.
With that in mind CIOs should ask if the source of the next significant data breach could be of a more domestic nature than their data centre or head office.
While company issued technology can be locked down, the opportunities for nefarious activity on a home network are endless: Online shopping and sharing pictures, eCards and correspondence from home (and office), a new mobile or wired device that will connect with your home or small office network.
Then there are all the IoT threats to consider: A network accessible thermostat or home automation system, mobile devices on a network and Smart TVs.
CIOs should therefore provide pointers and simple steps homeworkers can take to improve their security, particularly with GDPR around the corner.
- Change the default passwords. This is frequently overlooked. Check that this has been changed
- Disable console access from the Internet. Leaving the console accessible from the Internet is just asking someone to hack in.
- Don’t use descriptive SSID names. For example, Jane’s Home Office would wave a flag to potential hackers.
- Encrypt the connection. If possible, use WPA2-PSK with AES for encryption (some older devices won’t support this). Next choice would be WPA. WEP should be avoided at all costs.
- Try the free service offered by OpenDNS for your personal DNS services. For personal use, Cisco Umbrella (formerly OpenDNS) offers a free, secure DNS solution. Almost all routers will allow users to hard-code a DNS server (rather than using the one provided by your ISP). Configure the primary DNS to 18.104.22.168 and the secondary DNS to 22.214.171.124 to enjoy secure Internet access.
- Ensure the latest firmware is installed. Many security holes are patched via firmware updates.
- Disable WPS (WiFi Protected Setup). This makes it easier to add new devices, but bugs in the protocol make it very susceptible to brute force attacks. The same goes for UPnP.
- Periodically look at the devices accessing the network. It’s worth investigating if there are devices on there that aren’t familiar. Look at logs too – not just devices actively signed on at the time.
Wireless Security Tips
- Create a separate guest network. Most newer routers provide the functionality to create a separate guest network. There’s no reason to put friends or office visitors onto your own network when all they need is Internet access. A guest network prohibits them from leaving with the credentials for your home or office network stored on their devices.
- Create a third network for your IoT devices. Far too many IoT devices (e.g. cameras, thermostats, etc.) are insecure. While they can’t be made inherently secure, they can at least be segmented or separated from the rest of the network to restrict their access. If the router only supports two networks, set up IoT devices on the guest network.
- As with the routers, change the default passwords in your IoT devices.
- Turn off any unnecessary services. The security cameras used in the recent DDOS attack had telnet services enabled. Why? Turn off those services that are not needed for devices to function properly.
- Use the most up-to-date WiFi frequency. Assuming you aren’t supporting any ancient wireless devices, disable 802.11b and if you’ve made the move to 5GHz then disable 2.4GHz.
General IT Security Tips
- Don’t use an account with administrative rights on a home system. Have a user account with minimal rights and escalate privilege when necessary. This is a little more work, but if your account is compromised it will minimise the damage that can be done.
- Ensure Antivirus/Antimalware is up to date on each device.
- Backup data! If hit with malware, life will be a lot easier if all data is securely stored elsewhere. Test restore capabilities as well – as the adage goes, backup is easy, it’s restore that’s difficult.
- Keep applications, plugins and extensions up-to-date. In addition to keeping the operating system up to date, be mindful of applications as well, especially browser plugins. Flexra offers a free tool for personal use called the Personal Software Inspector (//www.flexerasoftware.com/enterprise/products/software-vulnerability-management/personal-software-inspector/) that is useful for identifying programmes that are insecure and need updates.
Read more: What is Ransomware?