Remote working has become a staple of everyday life. A recent report from the Australian Bureau of Statistics highlights almost half of all Australians regularly work from home. It also appears that the trend is likely to continue with employees and employers both realising the many benefits of the strategy.
I recently spoke on 2Factors about the risks to organisations from malicious insiders and insecure home networks. It has long worried me that organisations are leaving themselves vulnerable to compromise from their own employees home network security, or lack thereof.
Unsurprisingly the Australian Cyber Security Centre also reported this week that 200,000 home and office routers in Australia are at risk of being exploited. If you perhaps aren’t sure what that exploited means in context, imagine a hacker standing behind you 24×7 recording everything you look at and type such as usernames, passwords, credit card numbers, emails, everything! They could also send you to malicious websites, or deliver malware to your devices and steal or ransomware your data.
Why securing the end-user device is not enough
Before the days of remote working, devices (mostly desktops) were located in an office with physical access controls, on a network controlled by the organisation, and secured with commercial or enterprise grade equipment and software. These devices and services would be actively managed, kept up-to-date, and monitored by the IT department.
Unfortunately nowadays it’s all too common for laptops to be issued to remote employees, without a single question being asked about the environment in which it will be used or whether the most basic security best practises have been followed such as “have you changed your default home Wi-Fi password”.
Many company issued devices come with antivirus / anti-malware software and a Virtual Private Network (VPN) which may be required to access internal company systems. A VPN is useful to ensure privacy from others on your network but if your networking equipment (modem, router, Wi-Fi access point etc.) is compromised then so too are all the connections running through them.
For those of you who might think I’m being an alarmist the National Institute of Science & Technology (NIST) reported over 600 router vulnerabilities in 2020. In 2021 another 500 were reported including 87 rated as critical and those are just the ones we know about! What I find more perplexing is that a third of the critical vulnerabilities from 2021 are still yet to be acknowledged or fixed by vendors. Adding those issues to the 74% of users that have never thought about upgrading, patching or securing their router or networking equipment it seems pragmatic that organisations serious about security proactively assist their employees to secure their home networks.
Before we jump into recommendations it is worth understanding home network security risks in more detail.
Some common (and perhaps not so common) home network risks
- Old or out-of-date networking equipment. It’s often out-of-sight out-of-mind but that old router or modem may not support the latest Wi-Fi security features like WPA-3, or the manufacturer may no longer be providing security patches and updates. If it’s no longer supported and a security vulnerability is found attackers now have an interminable way into your network.
- Default manufacturer credentials. Often when you receive a new modem or router it will have a randomly generated Wi-Fi password and also for the admin user. Unfortunately that’s not always the case and reports suggest that attackers could gain access to 6% of devices just by using widely-known default usernames and/or passwords.
- Weak passwords. Wi-Fi and admin passwords containing common words, birthdates, names, and those that are less than 20 characters long make it easier for attackers to simply guess or brute force to gain access to your network.
- Unpatched devices, desktops, laptops, mobile devices, printers. Your network is only as secure as your least secure device. Devices missing security updates or old devices no longer receiving updates also provide an easy way for attackers to gain access to your network. When was the last time you updated the software on your Wi-Fi connected printer?
- Downloading malicious / cracked software. This one should go without saying. If you’re downloading software from an untrusted source, or using “cracked” software it may contain malware and allow attackers straight into your network. A lot of malware is built to avoid detection which is why you should never do this, even if you’re running antivirus software.
- Smart-home devices. It is estimated that there will be 14.4 billion smart home devices connected to the internet by the end of 2022. These typically work by talking to manufacturers’ environments which you then control with an app on your mobile device or a smart speaker. An issue with a smart-home device, or the manufacturers security can also provide a way for attackers to gain access to your network.
- Rogue Wi-Fi access points. It is possible to set your Wi-Fi SSID (essentially the name of your Wi-Fi) to anything you’d like. It’s possible for attackers to trick you into connecting to a network they control by naming their SSID the same as yours and using a strong radio signal. In fact there’s devices used by security testers to assist with this type of activity like this Wi-Fi pineapple.
- Exposed administrative interfaces. By default you would normally need to be on the Wi-Fi to login as the admin and change your Wi-Fi password. Unintentional misconfigurations can make this admin page accessible to anyone (including attackers) on the internet.
As a business, here’s how you can help your remote working employees
It’s likely that as an employer you provide physical devices such as laptops and/or smart phones to employees because their legal ownership can never be questioned. In some cases the total outlay for these devices may be upwards of $5,000 per employee. However it seems a little short-sighted to invest significant time and money in providing new, up-to-date, and secure devices only for them to be connected to an old / insecure home network environment.
If you’re a business here’s some things to consider. Understandably every organisation is different, as are the types of activities performed by remote workers so it makes sense to choose the options that suit your specific situation.
- Assist employees with running a “health-check” on their home network during onboarding and periodically throughout the year. This will help ensure issues are identified early and resolved.
- Provide the home networking equipment, or subsidise the employees choice from an approved list. By doing so you’re able to ensure devices are from a reputable manufacturer with a good history of providing timely security patches.
- Consider providing or subsidising the Internet Service Provider (ISP) monthly fees from an approved list. By doing so you’re able to ensure upstream home network connections are through a reputable provider that invests proactively in cyber security.
If you’re serious about securing your employees home networks consider using cloud managed networking equipment from a reputable provider. The advantage is that the equipment is actively supported, and security patches are automatically and regularly applied. Cisco Meraki (which I use myself at home) provides a range of cloud managed solutions for home, small, medium, and enterprise environments and is worth investigating if you’re interested.
Simple steps to help secure your home network
- Don’t use second-hand hardware. Whilst it might not seem like a big risk there have been many incidents where malware on second-hand devices granted hackers access to secure environments.
- Regularly update everything on your network, modems, routers, laptops, printers, smart home devices, everything! Set a reminder in your calendar to check for software updates at least once a month.
- Consider manufacturers’ reputations and the quality of the devices that you connect to your home network. Typically you get what you pay for, and a reputable manufacturer is likely to fix vulnerabilities faster than cheaper devices from a company you don’t recognise.
- Change the default admin username and password on your router. Use a passphrase consisting of at least three uncommon words and at least 20 characters. You should also make sure this passphrase is different to your Wi-Fi password.
- Change your Wi-Fi password to a strong passphrase consisting of at least three uncommon words and at least 20 characters. As above make sure this password is unique and not re-used elsewhere.
- Rotate your Wi-Fi password regularly. This stops people whom you shared your Wi-Fi password with from still having access months, or years later.
- Ensure your Wi-Fi access point supports the latest security standard WPA-3 or at least WPA-2. If neither are supported it’s time to replace the device as previous implementations (WEP) contain critical weaknesses that can be easily exploited by attackers.
- Enable guest wireless or dual radio mode if your device supports it. Connect the devices you perhaps consider less secure e.g. smart home / IoT to the guest network only. If your device supports VLAN’s you can also use this to separate your network traffic.
- Change your Wi-Fi name (SSID) from the default or hide it altogether. It’s not commonly known that broadcasting the name of your Wi-Fi network is completely optional. Hiding your SSID means someone wanting to connect would need both the SSID and the password.
- Disable those “user friendly” but commonly insecure features such as Wi-Fi Protected Setup (WPS) and Universal Plug & Play (UPnP). It is best practise to manually configure port forwarding instead of relying on UPnP. In 2013 tens of millions of devices were impacted following UPnP vulnerabilities being exploited.
- Enable device security features such as the firewall. Also consider enabling services that are provided by your ISP such as port blocking or firewall.
- Turn off your Wi-Fi when it’s not in use such as when you go on holiday. A number of devices allow you to schedule “down-time” which can also be used for this purpose.
- Consider disabling remote access tools and services that you have installed, or consider implementing network security controls to grant access to trusted IP addresses only.
- Consider the physical location of your Wi-Fi access point. An optimal position would be where everyone who requires access has it, whilst also limiting the range and access to those who don’t.
Depending on which device you use there may be other useful features available such as intrusion detection and prevention (IDS / IPS), logging and monitoring, and Wi-Fi spoofing protection services that you can enable.
When was the last time you checked the devices on your network for updates? If you can’t remember, it’s time!
Find Scotti Fletcher on LinkedIn: https://www.linkedin.com/in/scotti-fletcher/