Author: David Schuetz, senior security engineer, Expel
Whether you’re at home or at the office, there’s a good chance you’re relying on the Internet. At the office you might have a security team who works hard to ensure your data is protected. But what about protecting your security at home?
As of late, it seems like nearly everything is connected to our Wi-Fi. From multiple laptops and cell phones, to thermostats and light switches, smart technology makes our lives easier. And now in the age of social distancing, we are relying on our home networks more than ever. But the idea of being responsible for keeping your personal network connections and devices secure can be daunting.
Does this mean you should live in a constant state of fear that someone will hack into your network or devices? No. But you do need to know about some steps to take to protect yourself.
So … what threats should you be worried about, exactly?
Most common threats
For the purpose of this post, let’s put vulnerabilities into three buckets – networks, endpoints and online behavior – and talk about why you should care.
If it’s connected to the internet (laptops, TVs, voice assistants, etc.), then it can probably access other devices at home. Which means there are ample opportunities for attackers to find entry as we transmit data throughout our networks. But, unless you live off the grid, you don’t have much choice except to rely on the internet to function in society. Think about securing your networks like locking your doors at home. You don’t want attackers to come in and steal your belongings. And you definitely don’t want them using your home to conduct criminal activity (resulting in the FBI busting down your door).
Opening a port on your router for a game, connecting a thermostat to the cloud, even giving a visitor your Wi-Fi password for their phone – these can all open our networks to potential threats. Luckily, there are relatively simple ways you can make sure no one is slipping in your back door while you aren’t paying attention (check out the 10 tips at the end of this post).
I also get a lot of questions about using public Wi-Fi. Here’s my advice: getting attacked while using public Wi-Fi isn’t probable if you aren’t a big target, but it is possible. That’s why it’s important to be thoughtful when you are using networks outside of your home. Improve your security on public Wi-Fi by using a VPN, or avoid the Wi-Fi altogether and tether to your cell phone (ideally with a cable).
Many built-in services on laptops can create more opportunities for attackers. A well-known attack is a fake “help desk” call, tricking someone into granting remote access to their screen. Unless you directly call for IT support, no one needs you to share your screen or to enable remote control. Avoid keeping file sharing features like AirDrop on (and even then, set to accept files from contacts only). Turn on file sharing and remote access only when you need it, and turn it off again once you’re done.
Think about the apps you use, too. Be careful when installing an app that asks you to change network settings – it could be trying to watch your web traffic. And if an application asks for access to your location, contacts, or other privacy-related content, don’t say “Yes” unless you understand exactly why it’s asking.
As a general rule, lock your computer screen if you get up to grab a cup of coffee and put a lock on your cell phone screen. It’s helpful to update your settings so your screen locks automatically after being idle for five minutes. Sure, locking screens might matter a little less if you live alone and are working from home, but these are still good habits to adopt.
C. Online behavior
Attackers often count on us to make a mistake and accidentally open the door for them. Think about the number of times you enter your bank and credit card information when you’re ordering groceries from Amazon. Make sure you’re shopping through reputable dealers and avoid storing your credit card information on a website. Many banks will allow you to set up text message alerts for large purchases or unusual activity – a smart feature to enable, to be on the safe side.
Then there’s phishing. What makes something look suspicious? Emails with a sense of urgency or a time limit, obscure invoices and warnings of disastrous outcomes are all red flags. Pop-ups that won’t go away or are asking you to download something are often nefarious. Make sure you also hover over links and investigate them before clicking them.
Do I need to bother mentioning that you shouldn’t plug an unknown USB drive into your computer? Just in case…don’t do that.
Don’t be too quick when granting access to shared documents in G-suite or iCloud, for example. Make sure people and organizations can be vouched for and are trusted before granting access.
Watch what you share on social media. Never give out your address or personal information. Hackers can search on social media sites to find answers to security questions.
Tips and tricks for computer safety and privacy
We’ve only scratched the surface and already this looks like a lot of work. How can you make sure you aren’t allowing yourself to be a target without spending your entire day thinking of all the ways you can be attacked? Use these 10 tips and tricks.
1. Create strong passwords, don’t reuse them on different sites, and ALWAYS use MFA – multi-factor authentication – when given the option (these are one-time passwords, push messages, even text messages in a pinch). Also, use a password manager application! A good password manager can make it easy to select strong, unique passwords, and should support many built-in MFA systems. They can warn you if you’ve accidentally reused a password, or if you forgot to enable MFA. They can even alert you when sites you visit have had a recent password breach.
2. Keep your software updated on operating systems, apps, laptops, cell phones and routers. Vendors are constantly patching bugs and security holes, some of which can be critical entry points for an attacker. Most operating systems and app stores can automatically update their software for you. Keeping your home network updated (Wi-Fi routers, etc.) isn’t quite as critical, but if it’s been years since you looked at your router, it may be a good idea to check for updates.
3. Use WPA2 with a strong password when setting up Wi-Fi at home. For your visitors, consider setting up a guest network with a different network name and password.
4. Disallow remote access to your network and desktop (remote login, screen and file sharing, etc.) by disabling it on your computers and limiting the number of ports you let through the internet router. When you do need it, enable it only for the time you’ll be using it, and then immediately turn it back off again.
5. Create a separate administrator account, and use a non-admin account for day-to-day activity. By keeping your administrator “persona” separate from your daily use account, you lessen the chance that you may accidentally install malicious software without paying attention (many of us are a little too quick to click that “OK” button when we are prompted). By forcing you to switch to a different account, you ensure that a random, “Oh, I need your admin password now,” prompt isn’t going to break your computer, and makes installation of software and system-level changes a much more explicit action.
6. Be careful with what you share online. Many sites still use “secret questions” to help you recover passwords. But a secret question like “What brand was your first car?” is only secret if that information is hard to find. Many common secret questions end up being things that people frequently share online (as part of a Facebook profile, or some forgotten tweet that might be easily searched for). Still others may be found from common data aggregation services – it’s surprisingly easy to find the last five home addresses for just about anyone, often for no charge. Also, you should be careful not to give away too much about where you are (“I’m in Europe for a month, and our dogs are at the kennel, so our big suburban home in the wooded neighborhood is COMPLETELY UNATTENDED.”) It’s not likely that burglars are trolling social media to find targets, but you shouldn’t make it too easy for them, either.
7. Be thoughtful about the apps you install and always download from a trusted app store when possible. The “big” app stores (Apple, Google, etc.) do a pretty good job of making sure that malicious software is kept out, and sticking to just those sources will go a long way to keeping you safe and secure. Whenever something (especially a website) prompts you to download a “special app,” don’t download it right then and there. Instead, note what the file is (or does) and try to find it, or a suitable equivalent, in one of the main app stores. Even if you can’t find it in the app store, if you can independently source it on the web, rather than taking the version the website just offered, that’s usually a better plan.
8. Have a keen eye for phishing and social engineering. Scams still come through email more than any other method, but the phone is a growing source of computer attacks. The most common is some variant of a “help desk” calling to warn you that your computer is compromised, and asking you to do things to help them secure it (which instead just opens it up to their attacks). Plus there are all manner of old-school confidence tricks that people still succeed in pulling off, through phone calls, text messages and email. Learn how to recognize these, and swiftly ignore them when they happen (hang up, delete, etc.).
9. If your router (and tech-fu) supports it, put all your internet of things, er, things (security cameras, baby monitors, refrigerators, smart-locks, etc.) on a totally separate network with its own access point. This is a great place to put your guest network as well, though they’ll lose the ability to interact with your TV, etc.
10. Backups, backups, BACKUPs! Backing up your data is a pain. Do it anyways. Follow the 3-2-1 rule: Keep 3 copies of your data; on 2 different systems (for example, one in the den, one in the basement); and 1 off-site (like at a friend or relative’s house). Keeping two copies at home protects you against a single computer failure or breach, keeping one outside of the house protects you against a house fire. Cloud based services like Backblaze are fantastic for offsite backups.
Author David Schuetz is senior security engineer at Expel, a major MDR service provider. Read more Expel blogs here.