It just takes a cursory look at technology news to see why securing your network is critical. A recent ransomware attack infected over 70,000 computers in hospitals, logistical companies, and even governments (Cameron, 2017). With the rise in identity theft and the increase in computer related crime there is no longer an excuse for lax security policies in the office or at home.
Common Points of Vulnerability
Here we will go over some of the most common vulnerabilities and how to correct them:
- WiFi Routers & AccessPoints
- Change default Administrator password.
- Change WiFi encryption passphrase.
- Keeping up-to-date with Security Patches.
- Office & Home Security Policy
- NEVER write down passwords.
- NEVER allow or perform ‘shoulder surfing’.
- ALWAYS lock your screen before leaving your station.
- Social Engineering Awareness.
- ALWAYS shred documents before discarding.
As you can see the first two major points are dealing with technological devices while the third point is dealing with office policy and user habits. For your network to be secure you must ensure that both the technological equipment is properly configured and the human element is properly trained in basic Information Security Protocols. For a general introduction to the concept of Information Security see “Information, Computer, and Cyber Security: Defining Terms.”
WiFi Routers & AccessPoints
Devices like these need to have their default settings changed. Changing default settings of network equipment is a requirement for all security assessments. Leaving the default settings on your router is like leaving your door unlocked, there is nothing to stop someone from walking in and taking anything they want. The following steps should be taken on a typical router you might employ in a Home or Small Business network:
For this step, it is recommended that you are connected using a wired Ethernet cable to make the process easier. If you do not have an Ethernet cable, you must join the default SSID broadcast by your device (something like NetGear3124, Belkin675, or Linksys5434 for example). You may need to enter the default WiFi passphrase for your device. If you do not have the devices default information you must search the Internet or visit the manufacturers website for the documentation relating to the specific model number.
Type in the default IP Address of the device in your web browser. The most common default IP Addresses for routers are: (192.168.1.1), (192.168.0.1), and (10.0.0.1). If none of those work you are either not connected to the router or you need to refer to the manufacturer documentation for your device model.
Note: If the router has been previously configured and you do not know what it’s settings are you can reset it to factory defaults as per the instructions. This is usually accomplished by sticking a paperclip into a hole called ‘reset’ on the back and holding down the internal button until the LEDs flash or reset.
You should reach a login prompt where you need to enter the username and password for the device. This is where you will need to enter the device’s default administrator/password combination. Once you are logged in you want to immediately change the administrator’s password to something very long and complex. A minimum of 10 characters with capitals, lowercase, numbers, special symbols, make it as complex and long as you can stand. At this point you will most likely have to type the router’s IP in the address bar again to login with the new password.
Now it is time to change the default passphrase to access the encrypted WiFi network. Look for a tab/link to WiFi settings within your router’s configuration utility. Find SSID settings, which designate the name your wireless network broadcasts. Change it to something memorable, but be careful to not give away any information a cracker could use against you – don’t name your network XFiles and use m0ulder as your passphrase for example…
Once you’ve changed the SSID Broadcast name look for the WiFi passphrase or encryption settings. You want to use WPA2 PSK, it is best to avoid WEP as it has been compromised for years (Bangeman, 2007). When you create your passphrase remember that the maximum length for a WPA2 passphrase is 64 characters and that you can use numbers, letters, and special characters. It is best to make this passphrase as complex or more complex than your router’s administrator password. If someone gains your WiFi passphrase they can monitor your unencrypted network traffic with ease.
Where does this leave us?
Changing these default settings on your router will greatly improve your security stance and is enough to consider your WiFi router reasonably hardened. There are of course more things you can do like keeping the Firmware up-to-date and changing the default IP subnet from 192.168.1.0 to something like 18.104.22.168. Making changes like this adds more guesswork for an attacker as you are not using the expected default IP range/subnet that is generally encountered on less secure networks. None of these actions alone will keep you secure and in fact they are simply methods to make you less vulnerable rather than invulnerable.
Updates and Patches
Exploits are parts of code within an Operating System or application that can be manipulated by a cracker to gain entry into that machine. Once that machine has been compromised the attacker will then try to gain access to any other machines on the network. At this point they can cause a number of different problems for business and home users, see “The Threat Is Real” for an article detailing potential threats.
How do we protect ourselves? By keeping our Operating Systems and applications up-to-date!
The recent and massive WannaCry attack used an exploit that had been patched two months prior to the attack, but since people do not understand the importance of keeping up with security patches there were massive amounts of systems needlessly affected (Cameron, 2017). Simply running the system update function on these machines would have prevented the vast majority of the WannaCry infections. The link to the update patch provided by Microsoft two months before the massive attack: Microsoft Security Bulletin MS17-010 – Critical (Microsoft, 2017).
If you are a Windows user make sure to run Windows Updates often, daily is best. Debian Linux users (Debian, Ubuntu, Mint, Kali, etc…) can use apt-get to stay up-to-date, see “Linux In Minutes: Essential Commands and Tricks” article for details. Mac OS X users should run System Updates as well. When exploits are found and reported the software companies immediately set out to fix these problems and issue a “patch” that corrects the vulnerable code. Leaving your system un-patched is like leaving your doors and windows unlocked or even wide open.
Make sure you update the Firmware on your other devices like WiFi Routers. There have been severe exploits found within these small applications and it is best to keep them up-to-date as well.
While this might sound like a simple thing, it is what makes a vast majority of attacks possible.
Office & Home Security Policies
Written Login Information
NEVER write down login information like usernames or passwords. This creates a huge security threat and can enable others to use your login credentials to commit crimes against the company or employees without being able to identify the individual. Furthermore, you will be the first suspect should your credentials be used for any nefarious purpose.
NEVER enter your login information while a co-worker is standing next to you. Wait for the conversation to end or for the individual to step away before entering your username and password. Likewise, if you know someone is going to enter their password step or turn away to allow them to do so securely. If you allow others to watch you enter your login credentials you are opening yourself and the company up to a huge security vulnerability.
ALWAYS lock your computer screen so that a password is required to un-lock it before you leave your desk. Do NOT rely on the 1 minute timer as someone who sees you get up can easily get to your computer before the timer initiates the screen lock. At this point they can install malware, copy sensitive information, and do a number of other nefarious things before you return to your desk.
Social Engineering Awareness
Train your employees and your family to recognize social engineering attacks! Set hard lines and create clear policy. Never give financial information over the phone, especially on a cold call. For a real-world example: in my area there are constant social engineering attacks. I have received group texts with over 100+ recipients claiming to be an urgent message from my bank, calls asking for donations to the police department that never sent me the information in writing when I refused to give them my credit card on a cold call, and even a company pretending to be from Google trying to get financial information. This is at our home, not a business, and it happens on a fairly regular basis.
This is why it is very important for both employees and family members to be aware of these types of attacks. Never give any information to someone who calls you out of the blue no matter who they say they are. Ask them to snail mail you whatever proposal they have if you are suspicious. It is not being paranoid, it is a necessary survival trait in current times.
Office workers should also be trained to never under any circumstances give out any information, especially login information, about the system over the phone. A common technique of social engineers is to pretend to be a worker from the company who forgot their password and needs a new one to finish a job they are working on. They will often be well researched and may know many personal details about the individual they are pretending to be, which is why this method is so effective. The only option to remain resistant to these types of attacks is to have a deny all policy – no system information is shared over the phone or email.
It is critical to shred documents not just to keep financial details safe, but to protect against social engineering attacks. One way that crackers can get information about an employee or company infrastructure is by collecting documents from the company trash bins. Even reports with names and email addresses can be extremely valuable to a cracker using social engineering techniques. Being able to display a working knowledge of key employees is extremely convincing when presented by an experienced social engineer. For this and many other reasons there should be a strict policy of shredding all documents.
If the above security methods were applied and maintained throughout the home and small business world the amount of successful cyber-attacks would shrink dramatically. While vulnerabilities in software will always exist and crackers will always be a threat, the threat can easily go from its current state of being a daily overwhelming occurrence to an occasional annoyance. There are many current methods that help make us immune to many of these dangers, we just need to use them.
Bangeman, Eric. (2007, Apr 4). New attack cracks WEP in record time. Retrieved from https://arstechnica.com/gadgets/2007/04/new-attack-cracks-wep-in-record-time/
Cameron, Dell. (2017, May 12th). Today’s Massive Ransomware Attack Was Mostly Preventable-Here’s How To Avoid It. Retrieved from http://gizmodo.com/today-s-massive-ransomware-attack-was-mostly-preventabl-1795179984
Microsoft. (2017, Mar 14th). Microsoft Security Bulletin MS17-010 – Critical. Retrieved from https://technet.microsoft.com/en-us/library/security/ms17-010.aspx?ranMID=24542&ranEAID=TnL5HPStwNw&ranSiteID=TnL5HPStwNw-sqQhNApgA.Smv1cgQL3e5A&ranMID=24542&ranEAID=TnL5HPStwNw&ranSiteID=TnL5HPStwNw-EBxCaY_YxD9WO7ngUFxCVA&tduid=(9aa8cac45b3a17599a0ddb196e8d9467)(256380)(2459594)(TnL5HPStwNw-EBxCaY_YxD9WO7ngUFxCVA)()