How to improve the security of your home network
What is home network security and what does it consist of?
The home network security refers to the protection of a network connecting the devices to each other and to the Internet within a home. Whether it’s keeping in touch with friends and family, paying e-bills or telecommuting, the Internet allows us to do our homework more efficiently and comfortably from the comfort of our home. However, with the gradual incorporation of technology into our daily lives, the risk of security problems also increases. As a result, it is imperative that home users understand and remain vigilant about Internet connection risks and the importance of adequately protecting home networks and systems.
Why secure your home network?
Many home users share two misconceptions about the security of their networks.
- They believe their home network is too small to be at risk of cyber attacks.
- They believe their devices are “safe enough” as soon as they are out of the box.
If a network connects to the Internet, it is inherently more vulnerable and sensitive to external threats.
Many Internet-enabled consumer products are preconfigured with factory settings, including default usernames and passwords. Many people leave them unchanged, creating opportunities for malicious cyber actors to gain unauthorized access to information, install malicious software (malware) and cause other problems.
How can I improve the security of my home network?
By following some of the simple but effective mitigation techniques below ( do-it-yourself cybersecurity ), you can significantly reduce the attack surface of your home network and make it more difficult for a malicious cybernetic actor to launch a successful attack.
- Update the software regularly.
Regular software updates are one of the most effective steps to improve the overall cyber security position of home networks and systems. In addition to adding new features and functionality, software updates often include critical patches and security fixes for newly discovered threats and vulnerabilities. Most modern software applications will automatically check for new released updates. If automatic updates are not available, consider purchasing a software program that centrally identifies and manages all installed software updates.
- Remove unnecessary services and software.
Disable all unnecessary services to reduce the attack surface of the network and devices, including the router. Unused or unwanted services and software can create security holes on a device’s system, which could lead to an increase in the attack surface of your network environment. This is especially true with new computer systems on which vendors often pre-install a large number of test software and applications – termed “bloatware” – that users may not find useful.
The National Cybersecurity and Communications Integration Center (NCCIC) recommends that you seek and remove any software or services that are not used regularly.
- Adjust the factory default configurations on software and hardware.
Many software and hardware products come “out of the box” with overly permissive factory default configurations, designed to make them easy to use and reduce troubleshooting time for customer service. Unfortunately, these default configurations are not security-oriented.
Leaving them enabled after installation can create more exploitation possibilities for an attacker. Users should take measures to stiffen the default configuration parameters to reduce vulnerabilities and protect against intrusion.
- Run updated antivirussoftware .
A reliable antivirus software application is an important measure of protection against known malicious threats. It can detect, quarantine and automatically remove various types of malware, such as viruses, worms and ransomware. Many antivirus solutions are extremely easy to install and intuitive to use. NCCIC recommends that all computers and mobile devices on the home network run antivirus software. Also, be sure to turn on automatic virus definition updates to ensure maximum protection against the latest threats. Note: Since detection is based on models known to signatures – known models that can identify the code as malware – even the best antivirus does not provide adequate protection against new and advanced threats, such as zero-day exploits and polymorphic viruses.
- Install a network firewall.
Install a firewall on the edge of the home network to defend against external threats. A firewall can prevent malicious traffic from entering your home network and alert you of potentially dangerous activities. If configured correctly, it can also act as a barrier to internal threats, preventing unwanted or malicious software from reaching the Internet. Most wireless routers have a configurable and integrated network firewall that includes additional features, such as access controls, web filtering and denial-of-service (DoS) defense, which can be adapted to the network environment. Note that some firewall features, including the firewall itself, can be disabled by default. Ensuring that the firewall is active and that all settings are configured correctly will strengthen network security. Note: The Internet Service Provider (ISP) may be able to help you determine if the firewall has the most appropriate settings for your particular device and environment.
- Install firewalls on network devices.
In addition to a network firewall, consider installing a firewall on all computers connected to the network. Often called host- or software-based, these firewalls inspect and filter the incoming and outgoing network traffic of a computer based on a predetermined policy or set of rules. Most modern Windows and Linux operating systems come with an integrated, customizable and feature-rich firewall. In addition, most vendors combine their antivirus software with additional security features such as parental control, email protection and blocking of malicious websites.
- Back up your data regularly.
Create and store, using external media or a cloud-based service, regular backup copies of all valuable information residing on the device. Consider using a third-party backup application, which can simplify and automate the process. Make sure to encrypt your backup to protect the confidentiality and integrity of your information. Data backups are critical to minimizing impact in the event of data loss, damage, infection or theft.
- Enable wireless security.
Follow the procedure below to increase the security of the wireless router. Note: Consult your router’s instruction manual or contact your ISP for specific instructions on how to change a particular device setting.
- Use the most powerful encryption protocol available.
NCCIC recommends using Wi-Fi Protected Access 2 (WPA2) Personal Advanced Encryption Standard (AES)and Temporary Key Integrity Protocol (TKIP) , which is currently the most secure router configuration available for home use. It incorporates the Advanced Encryption Standard (AES) and is capable of using 128, 192 and 256 bit cryptographic keys. This standard has been approved by the National Institute of Standards and Technology (NIST).
- Change the default administrator password of the router.
Most network devices, including wireless access points, are preconfigured with predefined administrator passwords to simplify configuration. These predefined credentials are not secure: they can be easily available on the Internet or they can also be physically labeled on the router itself. Changing the router’s administrator password helps protect it from an attack using the default credentials.
- Change the default SSID.
Sometimes referred to as a “network name”, a Service Set Identifier (SSID)is a unique name that identifies a particular wireless local area network (WLAN). All wireless devices on a WLAN must use the same SSID to communicate with each other. Since the device’s default SSID typically identifies the manufacturer or device itself, an attacker can use it to identify the device and exploit its known vulnerabilities. Make your SSID unique and don’t tie it to your identity or location information, which makes it easier for the attacker to identify your home network.
- Disable WPS.
Wi-Fi Protected Setup (WPS) provides simplified mechanisms that allow a wireless device to connect to a Wi-Fi network without having to enter the password for the wireless network. However, a design flaw in the WPS specification for PIN authentication significantly reduces the time it takes for a cyber charger to force an entire PIN brute, because it informs them when the first half of the eight-digit PIN is correct. Many routers do not have an adequate lockout policy after a number of unsuccessful attempts to guess the PIN, making brute force attacks much more likely to occur. See Wi-Fi protected configuration (WPS) vulnerable to Brute-Force attack.
- Reduce the strength of the wireless signal.
The Wi-Fi signal often propagates beyond the perimeter of your home. This extended emission allows intruders to be intercepted outside the perimeter of the network. Therefore, carefully consider the positioning of the antenna, the type of antenna and the transmission power levels. By experimenting with router placement and signal strength levels, you can reduce the transmission coverage of your Wi-Fi network, thereby reducing the risk of compromise. Note: While this reduces risk, a motivated attacker may still be able to intercept a signal that has limited coverage.
- Turn off the network when not in use.
Although it may not be practical to frequently turn the Wi-Fi signal off and on again, consider turning it off during travel or for extended periods when you don’t need to be online. In addition, many routers offer the option to configure a wireless schedule that automatically turns off Wi-Fi at specific times. When Wi-Fi is disabled, external attackers are prevented from being able to exploit the home network.
- Disable UPnP when not needed.
Universal Plug and Play (UPnP)is a practical function that allows networked devices to discover and establish communication between them on the network seamlessly. However, although the UPnP feature facilitates initial network configuration, it is also a security risk. Recent large-scale network attacks show that malware within the network can use UPnP to bypass the router’s firewall, allow attackers to take control of devices remotely and spread malware on other devices. It is therefore necessary to disable UPnP, unless you have a specific need.
- Update the firmware.
Check the router manufacturer’s website to verify that the latest firmware version is running. Firmware updates improve product performance, correct defects and resolve security vulnerabilities. Note: some routers have the ability to enable automatic updates.
Disable remote management. Most routers offer the ability to view and change their settings on the Internet. Disable this feature to prevent unauthorized people from accessing and changing the router configuration.
- Monitoring connections of unknown devices.
Use the router manufacturer’s website to monitor for unauthorized devices joining or attempting to join the network. See also the manufacturer’s website for tips on how to prevent unauthorized devices from connecting to the network.
- Mitigate Email Threats.
Le and email phishingcontinue to be one of the most common initial attack vectors used for the delivery of malware and harvest credentials. Attacking the human element, considered the weakest component of any network, continues to be extremely effective. To infect a system, the attacker simply has to persuade the user to click on a link or open an attachment. The good news is that there are many indicators that you can use to quickly identify a phishing email. The best defense against these attacks is to become an educated and cautious user and familiarize yourself with the most common elements of a phishing attack. Here are some common indicators of a phishing email.
Address of the suspicious sender. Pay attention to the sender’s email address. It can imitate a legitimate business. With only a few altered or omitted characters, cybercriminals often use an email address that closely resembles that of a reputable company. General greetings and signature. Both a general greeting – such as “Dear Customer” or “Sir” – and the lack of contact information in the signature block are strong indicators of a phishing e-mail. A trusted organization normally turns to you by name and provides their contact information.
- Spoofed hyperlinks.
Move your cursor over any link in the body of the email. Links that don’t match the text that appears when you hover over them should raise a red flag. In addition, the use of a URL abbreviation service to hide the true destination of the link should also raise a red flag.
Spelling and layout. Bad grammar and sentence structure, misspellings and inconsistent formatting are other indicators of a possible phishing attempt. Reputable institutions have dedicated staff who produce, verify and correct correspondence with customers.
- Suspicious attachments.
An unsolicited email asking a user to download and open an attachment is a common delivery mechanism for malware. A cybercriminal can use a false sense of urgency or importance to convince a user to download or open an attachment without having first examined it.
Improve password security
Weak or stolen passwords have been linked to a large number of recent data breaches and cyber attacks, and passwords continue to be one of the most vulnerable cyber defenses.
- Consider using a password manager. A password manager is software that can help you generate, store, encrypt and recover unique and complex login credentials for all your accounts, effectively eliminating the need to remember or write passwords.
- Make passwords long and complex. The most effective aspect of a strong password is length. Therefore, the use of the longest password or allowed passphrase should be considered. For example, “Passwd4mymiemale” would be a strong password because it has 17 characters. It also includes uppercase and lowercase letters, numbers and special characters often required by password systems. It may be necessary to try different variants of a passphrase: some applications limit the length of passwords, some do not accept spaces or some special characters. Avoid easy to understand passwords, for example, common phrases, famous quotes, song lyrics, sequential keyboard combinations – such as “qwerty” or “123456” – or words found in the dictionary.
- Create a unique password for each account. Do not use the same password with multiple accounts. This way, if one of your accounts is compromised, the attacker won’t be able to violate any of your other accounts.
- Never use personal information. Avoid using your personal information such as your name, pet’s name, date of birth, phone number or any other information in the public domain.
Most attacks on home networks are not personal in nature and can occur on any type of network, whether large or small