{"id":971,"date":"2019-01-04T09:28:22","date_gmt":"2019-01-04T17:28:22","guid":{"rendered":"https:\/\/betterdefend.com\/?p=971"},"modified":"2019-03-05T08:54:51","modified_gmt":"2019-03-05T16:54:51","slug":"best-practices-for-keeping-your-home-network-secure","status":"publish","type":"post","link":"https:\/\/betterdefend.com\/best-practices-for-keeping-your-home-network-secure\/","title":{"rendered":"Best Practices for Keeping Your Home Network Secure"},"content":{"rendered":"

Originally published as <\/em>Confidence in Cyberspace in May 2014 by the NSA.<\/em><\/p>\n

As a user with access to sensitive corporate or government information at work, you are at risk at home. In order to gain access to information typically housed on protected work networks, cyber adversaries may target you while you are operating on your less secure home network.<\/p>\n

Don\u2019t be a victim.<\/strong> You can help protect yourself, your family, and your organization by following some common sense guidelines and implementing a few simple mitigations on your home network.<\/p>\n

Personal Computing Device Recommendations<\/h3>\n

Personal computing devices include desktop computers, laptops, smartphones, and tablets. Because the bulk of your information is stored and accessed via these devices, you need to take special care in securing them.<\/p>\n

1. Migrate to a Modern Operating System and Hardware Platform<\/h4>\n

The latest version of any operating system (OS) inevitably contains security features not found in previous versions. Many of these security features are enabled by default and help prevent common attack vectors. In addition, using a 64-bit OS on a 64-bit hardware platform substantially increases the effort for an adversary to obtain privileged access on your computer.<\/p>\n

2. Install a Comprehensive Security Suite<\/h4>\n

Install a comprehensive security suite that provides layered defense via anti-virus, anti-phishing, safe browsing, host-based intrusion prevention, and firewall capabilities. In addition, several security suites, such as those from McAfee, Norton, and Symantec, provide access to a cloud-based reputation service for leveraging corporate malware knowledge and history. Be sure to enable the suite\u2019s automatic update service to keep signatures up to date.<\/p>\n

3. Limit Use of the Administrator Account<\/h4>\n

In your operating system, the highly-privileged administrator (or root) account has the ability to access any information and change any configuration on your system. Therefore, web or email delivered malware can more effectively compromise your system if executed while you are logged on as an administrator. Create a nonprivileged \u201cuser\u201d account for the bulk of your activities including web browsing, e-mail access, and document creation\/editing. Only use the privileged administrator account for system reconfigurations and software installations\/updates.<\/p>\n

4. Use a Web Browser with Sandboxing Capabilities<\/h4>\n

Visiting compromised or malicious web servers is a common attack vector. Consider using one of several currently available web browsers (e.g. Chrome, Safari) that provide a sandboxing capability. Sandboxing contains malware during execution, thereby insulating the underlying operating system from exploitation.<\/p>\n

5. Use a PDF Reader with Sandboxing Capabilities<\/h4>\n

PDF documents are a popular mechanism for delivering malware. Use one of several commercial or open source PDF readers (e.g. Adobe, Foxit) that provide sandboxing capabilities and block execution of malicious embedded URLs (website links) within documents.<\/p>\n

6. Update Application Software<\/h4>\n

Attackers often exploit vulnerabilities in unpatched, outdated software applications running on your computing device. Enable the auto-update feature for applications that offer this option, and promptly install patches or a new version when pop-up notifications indicate an update is available. Since many applications do not have an automated update feature, use one of several third-party products, such as those from Secunia and eEye Digital Security, which can quickly survey installed software and report which applications are end-of-life or need patches or updates.<\/p>\n

7. Implement Full Disk Encryption (FDE) on Laptops<\/h4>\n

To prevent data disclosure in the event that a laptop is lost or stolen, implement FDE. Most modern operating systems offer a built-in FDE capability, for example, Microsoft’s BitLocker, Apple’s FileVault, or LUKS for Linux. If your OS does not offer FDE, use a third party product.<\/p>\n

8. Download Software Only from Trusted Sources<\/h4>\n

To minimize the risk of inadvertently downloading malware, only download software and mobile device apps from reputable sources. On mobile devices, grant apps only those permissions necessary to function, and disable location services when not needed.<\/p>\n

9. Secure Mobile Devices<\/h4>\n

Mobile devices such as laptops, smartphones, and tablets post additional concerns due to their ease of use and portability. To protect against theft of the device and the information on the device, maintain physical control when possible, enable automatic screen locking after a period of inactivity, and use a hard-to-guess password or PIN. If a laptop must be left behind in a hotel room when traveling, power it down and use FDE as discussed above.<\/p>\n

Network Recommendations<\/h3>\n

Home network devices include modems\/routers, wireless access points (WAPS), printers, and IP telephony devices. These devices control the flow of information into and out of your network and should be carefully secured.<\/p>\n

1. Configure a Flexible Home Network<\/h4>\n

Your Internet Service Provider (ISP) likely provides a modem\/router as part of your service contract. To maximize administrative control over the routing and wireless features of your home network, use a personally-owned routing device that connects to the ISP-provided modem\/router. A typical small office\/home office (SOHO) network configuration usually provides the home user with a network that supports multiple systems as well as wireless networking and IP telephony services.<\/p>\n

2. Disable Internet Protocol Version 6 (IPv6) Tunneling<\/h4>\n

Both IPv6 and its predecessor, IPv4, are used to transfer communications on the Internet. Most modern operating systems use IPv6 by default. If IPv6 is enabled on your device, but not supported by other systems\/networks to which you are communicating, some OSes will attempt to pass IPv6 traffic in an IPv4 wrapper using tunneling capabilities, Teredo, 6to4, or ISATAP (Intra-Site Automatic Tunnel Addressing Protocol). Because attackers could use these tunnels to create a hidden channel of communication to and from your system, you should disable tunneling mechanisms. In Windows, you can disable these through Device Manager (be sure to select “View hidden devices” under the View menu).<\/p>\n

3. Provide Firewall Capabilities<\/h4>\n

To prevent attackers from scanning your network, ensure your personally-owned routing device supports basic firewall capabilities. Also, verify it supports Network Address Translation (NAT) to prevent internal systems from being accessed directly from the Internet. Wireless Access Points (WAPS) generally do not provide these capabilities so it may be necessary to purchase a wireless router or a wired router in addition to the WAP. If your ISP supports IPv6, ensure your router supports IPv6 firewall capabilities in addition to IPv4.<\/p>\n

4. Implement WPA2 on the Wireless Network<\/h4>\n

To keep your wireless communication confidential, ensure your personal or ISP-provided WAP is using Wi-Fi Protected Access 2 (WPA2) instead of the much weaker, and easily broken Wired Equivalent Privacy (WEP) or the original WPA. When configuring WPA2, change the default key to a complex, hard-to-guess passphrase. Note that older client systems and access points may not support WPA2 and will require a software or hardware upgrade. When identifying a suitable replacement, ensure the device is WPA2-Personal certified.<\/p>\n

5. Limit Administration to the Internal Network<\/h4>\n

To close holes that would allow an attacker to access and make changes to your network, on your network devices, disable the ability to perform remote\/external administration. Always make network configuration changes from within your internal network.<\/p>\n

6. Implement an Alternate DNS Provider<\/h4>\n

The Domain Name System (DNS) associates domain names (e.g. www.example.com) with their numerical IP addresses. The ISP DNS provider likely does not provide enhanced security services such as the blocking and blacklisting of dangerous websites. Consider using either open source or commercial DNS providers to enhance web browsing security.<\/p>\n

7. Implement Strong Passwords on all Network Devices<\/h4>\n

In addition to a strong and complex password on your WAP, use a strong password on any network device that can be managed via a web interface, including routers and printers. For instance, many network printers on the market today can be managed via a web interface to configure features such as e-mail alerts and logging. Without a password, or with a weak or default password, attackers could leverage these devices to gain access to your other internal systems.<\/p>\n

Home Entertainment Device Recommendations<\/h3>\n

Home entertainment devices, such as Blu-ray players, set-top video players (e.g. Apple TV), and video game controllers, are capable of accessing the Internet via wireless or wired connection. Although connecting these types of devices to a home network generally poses a low security risk, you can implement security measures to ensure these don\u2019t become a weak link in your network.<\/p>\n

1. Protect the Device within the Network<\/h4>\n

Ensure the device is behind the home router\/firewall to protect it from unfettered access from the Internet. In the case of a device that supports wireless, follow the Wireless LAN security guidance in this document.<\/p>\n

2. Use Strong Passwords for Service Accounts<\/h4>\n

Most home entertainment devices require you to sign up for additional services (e.g. PlayStation Network, Xbox Live, Netflix, Amazon Prime, iTunes). Follow the password guidance later in this document when creating and maintaining service accounts.<\/p>\n

3. Disconnect When Not in Use<\/h4>\n

To prevent attackers from probing the network via home entertainment devices, if possible, disconnect these systems from the Internet when not in use. Some ISP modems\/routers have a standby button you can use to disable the Internet connection.<\/p>\n

Internet Behavior Recommendations<\/h3>\n

In order to avoid revealing sensitive information about your organization or personal life, abide by the following guidelines while accessing the Internet.<\/p>\n

1. Exercise Caution when Accessing Public Hotspots<\/h4>\n

Many establishments, such as coffee shops, hotels, and airports, offer wireless hotspots or kiosks for customers to access the Internet. Because the underlying infrastructure of these is unknown and security is often weak, these hotspots are susceptible to adversarial activity. If you have a need to access the Internet while away from home, follow these recommendations:<\/p>\n