Securing Your Home or Business WiFi Network.

How are routers used in your Home/Business network? 

 

Routers have become an integral part of our global communications footprint as use of the Internet has grown to include home-based businesses, telework, schoolwork, social networking, entertainment, and personal financial management. Routers facilitate this broadened connectivity. Most of these devices are pre-configured at the factory and are Internet-ready for immediate use. After installing routers, users often connect immediately to the Internet without performing any additional configuration. Users may be unwilling to add configuration safeguards because configuration seems too difficult or users are reluctant to spend the time with advanced configuration settings.
Unfortunately, the default configuration of most routers offers little security and leaves networks vulnerable to attack. Small businesses and organizations often use these same routers to connect to the Internet without implementing additional security precautions and expose their organizations to attack.

Why secure your Home/ Business router?

Routers are directly accessible from the Internet, are easily discoverable, are usually continuously powered-on, and are frequently vulnerable because of their default configuration. These characteristics offer an intruder the perfect target to obtain a user’s personal or business data. The wireless features incorporated into many of these devices add another vulnerable target.

How can you prevent unauthorized access to your home network?

The preventive steps listed below are designed to increase the security of  routers and reduce the vulnerability of the internal network against attacks from external sources.

• Change the default username and password: These default usernames and passwords are readily available in different publications and are well known to attackers; therefore, they should be immediately changed during the initial router installation. It’s best to use a strong password, consisting of letters, numbers, and special characters totaling at least 14 characters. Manufacturers set default usernames and passwords for these devices at the factory for their troubleshooting convenience. Furthermore, change passwords every 30 to 90 days. See Choosing and Protecting Passwords for more information on creating a strong router password.

• Change the default SSID: A service set identifier (SSID) is a unique name that identifies a particular wireless local area network (WLAN). All wireless devices on a WLAN must use the same SSID to communicate with each other. Manufacturers set a default SSID at the factory, and this SSID typically identifies the manufacturer or the actual device. An attacker can use the default SSID to identify the device and exploit any of its known vulnerabilities. Users sometimes set the SSID to a name that reveals their organization, their location, or their own name. This information makes it easier for the attacker to identify the specific business or home network based upon an SSID that explicitly displays the organization’s name, organization’s location, or an individual’s own name. For example, an SSID that broadcasts a company name is a more attractive target then an SSID broadcasting “ABC123.” Using default or well-known SSIDs also makes brute force attacks against WPA2 keys easier. When choosing an SSID, make the SSID unique, and not tied to your personal or business identity.
   
• Don’t stay logged in to the management website for your router: Routers usually provide a website for users to configure and manage the router. Do not stay logged into this website, as a defense against cross-site request forgery (CSRF) attacks. In this context, a CSRF attack would transmit unauthorized commands from an attacker to the router’s management website.
   
• Configure Wi-Fi Protected Access 2 (WPA2)-Advanced Encryption Standard (AES) for data confidentiality: Some home routers still use Wired Equivalent Privacy (WEP), which is not recommended. In fact, if your router or device supports only WEP, but not other encryption standards, you should upgrade your network device.  If you must use WEP, it should be configured with the 128-bit key option and the longest pre-shared key the router administrator can manage. Note that WEP at its "strongest" is still easily cracked.  One newer standard, WPA2-AES, encrypts the communication between the wireless router and the wireless computing device, providing stronger authentication and authorization between the devices. WPA2 incorporates the Advanced Encryption Standard (AES) 128-bit encryption that is encouraged by the National Institute of Standards and Technology (NIST). WPA2 with AES is the most secure router configuration for home use.
   
• Immediately disable WPS: Wi-Fi Protected Setup (WPS) provides simplified mechanisms to configure moderately secure wireless networks. A design flaw that exists in the WPS specification for the PIN authentication significantly reduces the time required to brute force the entire PIN because it allows an attacker to know when the first half of the 8-digit PIN is correct. The lack of a proper lockout policy after a certain number of failed attempts to guess the PIN on many wireless routers makes a brute-force attack much more likely to occur.
   
• Limit WLAN signal emissions: WLAN signals frequently broadcast beyond the perimeters of your home or organization. This extended emission allows eavesdropping by intruders outside your network perimeter. Therefore, it’s important to consider antenna placement, antenna type, and transmission power levels. Local area networks (LANs) are inherently more secure than WLANs because they are protected by the physical structure in which they reside. Limit the broadcast coverage area when securing your WLAN. A centrally located, omnidirectional antenna is the most common type used. If possible, use a directional antenna to restrict WLAN coverage to only the areas needed. Experimenting with transmission levels and signal strength will also allow you to better control WLAN coverage. Note that a sensitive antenna may pick up signals from further away than expected, a motivated attacker may still be able to reach an access point that has limited coverage.
   
• Turn the network off when not in use: While it may be impractical to turn the devices off and on frequently, consider this approach during travel or extended offline periods. The ultimate in wireless security measures—shutting down the network—will definitely prevent outside attackers from being able to exploit your WLAN.
   
• Disable UPnP when not needed: Universal Plug and Play (UPnP) is a handy feature allowing networked devices to seamlessly discover and establish communication with each other on the network. Though the UPnP feature eases initial network configuration, it is also a security hazard. For example, malware within your network could use UPnP to open a hole in your router firewall to let intruders in. Therefore, disable UPnP unless you have a specific need for it.
   
• Upgrade firmware: Just like software on your computers, the router firmware (the software that operates it) must have current updates and patches. Many of the updates address security vulnerabilities that could affect the network. When considering a router, check the manufacturer’s website to see if the website provides updates to address security vulnerabilities.
   
• Disable remote management: Disable this to keep intruders from establishing a connection with the router and its configuration through the wide area network (WAN) interface.
   
• Monitor for unknown device connections: Use your router’s management website to determine if any unauthorized devices have joined or attempted to join your network. If an unknown device is identified, a firewall or media access control (MAC) filtering rule can be applied on the router. For further information on how to apply these rules, see the literature provided by the manufacturer or the manufacturer’s website.

Follow these steps.. and your Credit Card(s)/ Bank(s) and even your Social Security number will thank you!

Cloud Computing 101

You all heard about it, I probably have clients using it, but what is it exactly?

In essence, Cloud Computing is a umbrella term that covers a number of different (but related) technologies, very much like most people think “The Internet” just means looking at web pages, but it encompasses that, email, file transfer, news feeds, remote access and much, much more.

The main “Cloud” products are:

Software as a Service (SaaS) – rather than having your programs and data on your computer, you access them via the Internet. Any of you using web based email such as Hotmail are using SaaS and therefore “the Cloud”. 

SaaS means that you can access your programs and data from anywhere you have an Internet connection.  Whilst webmail is a common use of SaaS that’s been around for a long time, we are now seeing other software offered in this way – Microsoft Office 365 gives you Word, Excel, PowerPoint etc. as a totally web based offering.  Google Apps does exactly the same. There are SaaS timesheet systems, CRM management solutions, Project Management systems, Point of Sale solutions just to name a few.

Platform as a Service (PaaS) – So, you want to build your own custom software solution? You need a server to run it on, a database, a web front end for it, all the development tools but you don’t have them in house?

This is where PaaS would be used. A PaaS provider effectively gives you all this “in the Cloud”, either for you to build from scratch or using predefined building blocks. All you need to know is how the bits fit together.  The PaaS provider does the rest for you.  PaaS can also be used to add additional functionality to SaaS.

Infrastructure as a Service (IaaS) – Servers, software, data storage and network equipment can all live in the Cloud. Rather than having a server room/data centre, all that equipment is hosted elsewhere and you just maintain a data link between yourselves and the IaaS provider.

If you have a website and it’s hosted by a third party, that’s IaaS, but at a very basic level.  If you want to backup your data offsite and you buy space with an online data storage company, that’s IaaS

No doubt you will have realised that there’s some crossover between all these different services, and that’s part of what makes “Cloud” confusing, never mind the fact that a lot of this seems like new names for old stuff – Web hosting can now be called IaaS, webmail is SaaS… D'OH!

Then there’s Recovery as a Service (RaaS) – online business continuity and more aaSes than a festival at a donkey sanctuary.

So, if your client says they’re using Cloud, you need to establish what they’re doing and how they’re doing it.

Private v Public – Regardless of what’s being done in the Cloud it can be Private Cloud or 

Public Cloud. Public Cloud is where you buy/rent resource that is on a system shared with other people. Private Cloud is resource on a system that is exclusively for your use. Private Cloud can be provided by a third party or can be an extension of your own infrastructure – essentially you could market MS Outlook Web Access as SaaS in a Private Cloud!

The Risks of Cloud – One of the first things to bear in mind is that Cloud relies on connections (whether to the Internet or to your Cloud provider).  In the event of a connection being lost, you’ve lost your software/data/business platform, etc. Businesses can mitigate this risk by ensuring that they’ve got multiple connections from different communications providers to their cloud provider and the Internet, but this won’t help the salesman in the field when he’s got no signal on his mobile dongle for his laptop.

Similarly, what happens if the Cloud provider suffers a failure? They’re just running servers and servers can crash. There should be an SLA in place with the provider – is there? Is it sufficient? There was a drastic failure of Amazon Web Services (AWS) in April 2011 and a lot of companies lost their Cloud services for 5 days. Amazon accepted no blame for this as it was within the terms of business and highlighted in their Cloud Computing model.

If you’re using Public Cloud, could an error by the Cloud provider mean that someone else you’re sharing the space with can get to your data? Can the Cloud provider access your data in raw format or is it encrypted?

So much to think about if you are a CIO or IT manager.