7 Steps to Build a Defense in Depth Strategy for Your Home
By Roger Spears – Cybersecurity Project Manager, Schneider Downs
One of the primary pillars of cybersecurity is having a “defense in depth” strategy, which means layering defensive security measures to protect your assets from digital intruders.
With a defense in depth strategy, even if a digital intruder gets through one layer, they are met with another, and another, and another… until they lose interest and moves on to a new, more vulnerable target. Defense in depth is not about being perfect; it’s about making it difficult for digital intruders to access your assets.
While many people think about multi-faceted security strategies from an organizational perspective, it’s also important to think about the personal security of home networks. We prioritize physical safety at home by frequently checking windows, locking our doors and installing security systems. We must approach and prevent digital intruders with the same vigor.
To have the best chance of preventing digital intruders’ attacks, home networking equipment must be configured properly and updated regularly. Here are seven best practices for improving your home network security with a defense in depth strategy.
- Responsible Network and Password Security
Managing a home network might sound daunting but, with the proper guidance, it is quite simple.
Many don’t realize they interact with modern home networking equipment by using graphical user interfaces (GUIs) that allow point-and-click configuration and maintenance. All the following can be configured using GUIs: the administrator account password, USB and cloud settings, configuration from inside the network, wired administrator connection, segmentation, updates and resources.
Home networking equipment includes an administrator account for configuration. Out of the box, that administrator account uses a default password, and, in most cases, you must change the administrator account password for security reasons. If you are not forced to change the default, make sure to do so anyway.
When changing your administrator account password, never reuse the default password or any easy-to-guess passwords, such as your physical street address or last name. If a digital intruder discovers the make/model of your home networking equipment, they can find the default password by performing a simple Internet search.
To see how someone could discover the name of your home networking equipment, use your phone or laptop to search for wireless networks around you. The default name for home networks usually includes the make and model of the network device.
- Secure USB Devices and Connectivity
Modern home networking equipment usually includes USB connection capabilities. USB devices usually include printers or flash drives but can also include external hard drives and other digital asset repositories used to store private information.
Before plugging in, remember that once connected to the networking equipment, the information contained on the USB device is available to all users on your network – including malicious ones loaded with malware. And if a digital intruder accesses your network, they will have access to those USB-based assets.
From a security perspective, the ability to plug a USB device into your home networking equipment is like an open window in your house. If possible, you should disable the USB device connectivity from your home network.
- Secure Cloud Services and Connectivity
The same risks associated with USB devices connected to your network apply to cloud storage.
Cloud services allow you to store files on “the cloud” and are usually offered by the manufacturer of the home networking equipment or can be bought from a third-party, such as Google or Microsoft.
While cloud services have many upsides, “cloud” is really just another name for somebody else’s computer. This means anything you store on the cloud is only as secure as the service provider and, unfortunately, cloud service providers often experience security issues that impact their users.
Remember, any service on your home networking equipment that connects directly to a third-party service, such as cloud services, is another entry point for a digital intruder.
- Restrict Administrator Rights
Another best practice for improving home network security is to restrict the administration rights to your network.
Nearly all modern home networking equipment allow you to limit the connection type when performing administrative duties. Make sure your home networking equipment can only be administered from inside the network.
This means you can’t be on the road or in a hotel and connect back to your home networking equipment to configure it. It also means digital intruders can’t configure your home networking equipment from outside your network.
Also, consider only performing administrator tasks while using a wired connection. Performing administrative tasks on networking equipment using a wireless connection allows digital intruders to potentially capture that traffic over the air. Typically, manufacturers of modern home networking equipment include cables in the box. If you need a cable, they are usually available at your local big box store or favorite online shopping outlet.
- Implement Network Segmentation
Another best practice for securing home networks is network segmentation. Network segmentation involves creating separate networks for separate purposes. These networks can include televisions, smart devices, computers, phones and guest networks.
For those working from home, it’s a good idea to have a separate network just for work equipment. If you work from home, the same thought should be applied. Nobody should be able to observe network traffic related to your work. Imagine visiting a hotel or restaurant and observing their network traffic for payments.
Guest networks are especially important because you don’t know how others use their devices. If their device is infected, that infection could spread to your networks. Additionally, visitors could lose their devices or accidentally reveal your network password to others.
If a guest were to lose their device or reveal your guest network password, there is less potential for harm if you have proper network segmentation.. Preventing networks from seeing each other provides traffic and access segmentation, which can prevent network segmentation-caused breaches, such as the attack on Target many years ago.
Take the time to review your networking needs and develop your own list of networks. If your home networking equipment provides an option that prevents networks from seeing each other, be sure to activate it.
- Continually Update Home Network Equipment
Be sure to continually update your home networking equipment. Just like computers and phones, networking equipment receives updates, which provide critical security fixes, security enhancements and new features.
You can view a list of all known vulnerabilities (and their severity levels) associated with your home network equipment. The National Vulnerability Database maintains a list of known Common Vulnerabilities and Exposures (CVE). The CVE number associated with each vulnerability contains the year it was discovered/registered as a CVE.
Visit https://nvd.nist.gov/vuln/search and provide the make and model of your home network equipment in the “Keyword Search” box and click the “Search” button. Keep in mind, several of the vulnerabilities listed may have already been remediated with firmware updates provided by the manufacturer.
If you can’t set up automatic updates, simply set a calendar reminder or opt-in to your network provider’s notifications to make sure your equipment is running at its most secure state. If you purchase used equipment or prefer a more manual process, you can reference your home network equipment firmware and check the manufacturer’s website for updates.
Remember to warn other users of your home network before launching the firmware update, as these updates usually drop connections while they install the new firmware and reboot.
- Contact the Manufacturer
Finally, if you want to avoid restarting or restoring network default settings when you are experiencing issues with your home network, you can always reach out to the manufacturer.
With the rise of remote work and cloud-based storage and applications, it’s vital to keep your household network and all the information in it secure. It’s as important as locking your doors at night.
About the Author
Roger Spears, Cybersecurity Project Manager
Mr. Spears has over 18 years of experience within the IT and Cybersecurity disciplines. He has spent his career leading dynamic teams on both small- and enterprise-level projects. He has previously served as Chief Technology Officer, Cyber Security Training Coordinator and in other related positions for employers in the higher education sector and, most recently, for the U.S. Navy. He will serve a broad array of Schneider Downs’ cybersecurity clients in similar capacities.
Mr. Spears received his Bachelor of Science in Technology from Bowling Green State University and his Masters of Science in Information Assurance and Security from Capella University.