Now that Christmas is over, and we’re into a new year, odds are pretty good that someone in the family got some type of high tech gadget from Santa. What an odd statement to make for someone that performs digital forensics you may think to yourself. Well, to follow up on the previous post regarding insider threats, remember that not all insider threats are malicious and deliberate actions. A huge part of defending yourself (and your business) against the non-malicious acts is education. Furthermore, as part of the education process in terms of assessing one’s risk (online or not), I find that on the whole, it’s helpful to look at such things in concentric circles. What does that all mean for you? Start small and simple. Scale down your view of your risk to the simplest levels first. So, start with viewing your home as your own personal company and its network. I mean, you’re already doing it when it comes to finances; you have to bring in more revenue than expenses to keep your “company” healthy so why not apply the same mindset to your data security? No, your children or other family members living there are not employees but in this scenario if you can think of your locally connected computers, smartphones, gaming systems, printers, and local network storage, you can start to do your own risk assessment thinking about weaknesses in the system. What’s exposed, what’s available, all kinds of points, including some of what you can’t control, but we’ll get to that in a minute.
Ok, that sounds great, but where does one begin you might be asking. Start small and simple. Start with your connection to the outside world, your internet connection. You’ve likely got a router/modem from your provider (AT&T, Comcast, etc.) that connects to everything else. If you’ve got a more complex setup then the basics we’ll go over here apply still, they just need to be more fleshed out for your scenario. The first thing to do is to ensure your router is using some form of encryption and is not “open”. If you’ve never had to put a password in to access your local wireless network then it could be open, consult with your provider to determine what encryption is available to secure the transmission of your data with a unique password. The next step is assessing what devices connect to your modem/router. Yes, you could physically go around your house and inventory each device but what if it’s hidden away? Or let’s say you do have encryption on your network already but you’re unsure who all may have access to it (like your friends or your friends’ kids when they’ve come over for instance). A somewhat simple way to start a new inventory list is to simply change what your network name is and/or the password if you already have a secured network. How to do this will vary based on your modem/router but essentially if your network name is “Bob’s Wi-Fi”, you maybe change it to “Bob’s New Wi-Fi”. Yes, that will mean that once it’s changed and you or someone else (or something) wants to access your network and the Internet, you’ll have to re-enter the new name and/or the passcode. But that’s the point. You will now know who and what is accessing your network from this point forward and can create a list!
Now, while we’re on the topic of guests accessing your network, you should look to see if your wireless network device supports having a separate guest network. If it does, I encourage you to use it. You can name it something like “Bob’s Guest Wi-Fi” and can give it a separate maybe even somewhat simpler password. In setting up a separate guest network, you will be segregating your own internal network (which should be considered as more sensitive) from those devices that may intermittently connect to your network and you really have no idea how secure they are to begin with. While we’re on the topic of a guest network, you should consider having any device that you have little to no control over, like say anything that might be considered “internet of things”; doorbell cameras, thermostats, refrigerators, almost any device outside of a computer, smartphone or network storage/server, connect to the internet via this guest network. Why you may be asking? Without getting into too much minutia, you tend to have much less control over these devices, whether less control means they tend to be updated less and security is less of a concern (features tend to take more precedence as everyone and everything seems to be clamoring to be connected to the Internet for ease of use) or they tend to poke holes in your firewall and are accessible from the internet. Either way, unless there’s a real need to have them completely integrated into your existing network, you should try to keep them separate. Just as if you had a business, you don’t want to have your guests and unsecured devices using the same network as the rest of your employees do you? They don’t need access to your secure documents and network traffic so you shouldn’t risk any kind of inadvertent (or deliberate) compromise of your data.
While you’re configuring your network, you may want to consider changing what your default DNS (Domain Name System) server is. What’s DNS? DNS is what helps your computer or device find another computer (i.e. website) on the Internet. When you type an address into your browser, your computer actually queries your default DNS server (typically a server handled by your internet provider) to actually find the IP address of the server that the name translates to. What’s wrong with your default DNS server? Technically nothing really, but what if you want to have some controls to limit where your family or employees’ computers connect? Much like bumpers at a bowling alley prevent the kids from constant gutter balls, specifying an alternate DNS server can allow you to steer the people using your network from connecting to known malware websites, hacking websites or (especially if you have young children) objectionable material like pornography or profanity. That’s where it can be helpful to use a DNS server that differs from your ISP’s default. OpenDNS is one such service. For your home, they offer a free account that allows you the ability to limit some of the things I just mentioned. Again, this is potentially very useful if you have children in the house. They also offer a service for your business environment which can help with similar things mentioned already including helping to reduce phishing threats when your employees are tricked into clicking a link they shouldn’t have, thus exposing your networking and confidential data. And no, this is not a paid endorsement but rather some shared knowledge regarding a service I find useful.
This brings me to a final point. Keep in mind that none of these things takes away the need to expose your family and employees to general safe and secure online cyber hygiene. One of the most important of which concerns email. Everyone should understand the need to carefully examine email correspondence and not just click on a provided link. This is particularly the case when the email looks to have come from your credit card or bank. Unfortunately in today’s world, the bad guys have figured out how to take advantage of our trust and dependency on automation. It’s much safer to close the email and then type in the web address yourself or call the institution on the phone. As convenient, no. Safer, yes. And the bad guys trying to trick us know that. They’re counting on your basic human reaction to be panic followed by, “Someone’s trying to hack into my account!” In fact they’re banking on your next move which is to click the link they’ve provided in order to verify that “it’s not me” or whatever the “URGENT” case may be in the email. Another important point is that just because it’s online does not make it true or safe. Sure, most of us know this, but we easily forget this when we’re faced with a message that contains some sort of urgency. This should be kept in mind when searching for a file (a song or game for instance) or when conversing with someone (via chat or email correspondence). Individually or taken as a whole, these tips will help make your home or business more secure in the coming year. I urge you to continually try to learn how to safeguard your devices and data. Some good resources include the FTC, the SBA and SANS.