When ran well, office and corporate networks have multiple layers of security and common vulnerabilities are mitigated. But, what happens when an end user goes home and they begin to access resources and data on the corporate network from a home network that’s not maintained and under control of the IT security team? To be as productive as possible, the end user wants the convenience of accessing the data from anywhere, while others are concerned about data loss or intrusion. In the small and medium-size business, this can be a bigger puzzle to solve. Often companies don’t have well-defined guidelines for remote users, though the need is even higher for remote access and flexibility.
Recently, a client asked me to create a checklist for their end users that they could use to make sure they were achieving at least fundamental security on their home networks. I wanted to share that list publicly to help as many people as possible.
Regardless of the way a user achieves remote access, whether it be VPN, Remote Desktop, cloud applications like Outlook Web Access, SharePoint or Google Docs, one of the main security vulnerabilities is the end point where they are accessing these things. For example, if a user’s home machine has been compromised and the machine is being controlled remotely, any data that user is accessing via any service will be vulnerable.
Updates for Operating System and Third Party Applications
Most security exploits today will be via your web browser or via email. The goal for the attacker is to run code that exploits flaws in the software that you are running. Software vendors are constantly releasing updated software patches to repair these flaws so it’s very important to stay up to date. The mistake many people make is assuming that updating their operating system through Windows Updates or Mac Updates is enough. Or they may simply delay installing updates over and over again because it’s inconvenient. My personal opinion is that on Windows machines at home, it’s best to have automatic updates turned on for the operating system. For Macs, the updates can be set up automatically as well. Installing updates for Third Party apps is also extremely important (ie: Chrome, Firefox, Adobe Acrobat, Flash, etc.). All of these applications have updates that should be applied. An elegant and easy solution for Windows is to use Ninite Pro which allows you to scan and update all of these applications at one time. It has a small cost but is well worth it.
Anti-Virus and Firewall
Select a reputable Anti-Virus program. For years, Anti-Virus programs on the consumer side have tried to be everything under the sun for a user: antivirus, firewall, identity shield, etc. What I’ve come to find is that this just leads to confusion for end users and often gives them a false sense of security, while the bloated software brings the computer’s performance down to its knees. Commonly, what we’ve found is that the user has forgotten to renew their subscription, it is out of date and ineffective. Our preference is WebRoot which is effective, has a lighter install and doesn’t impact performance as much.
Remove Administrative Rights
When users purchase a new machine and set it up, often they don’t realize that the default user they are using has administrative control of their machine. This means they can do things like install software without being prompted for a username or password. On a Mac, even users who have administrative rights are prompted for a username and password for installing software — this is a great design that Windows has been moving towards. The best practice is to create another user account on your machine that has administrative rights and then set your normal user as a standard user or remove it from the administrators group entirely. This makes it more difficult for software to be installed without your knowledge.
Restrict Children’s Access
If possible, don’t share a machine that you are using for work with children. Supply them with an inexpensive Chrome Book or another inexpensive machine and set up the machine to restrict their permissions. We’ve encountered plenty of machines where children use it part of the time and malicious software has been installed unknowingly. If they must use the same machine, be sure they’re running with a limited access account.
DNS is the system that converts internet names like google.com into a number that is understood by the internet infrastructure. I’ve always thought of it as being a street address and the data that needs to get there as the envelopes that a postman needs to deliver. The first thing that needs to happen is you need to know the address of where it’s going. A service called Open DNS can be leveraged to filter out addresses for malicious websites and locations where malicious software are trying to download payloads. Additionally, the great thing about this is that it can be used by all of your devices on your home network, Smart T.V., Alexa, phones, etc. It’s a nice additional layer of protection.
Secure your Network Equipment
Another common vulnerability is the network equipment in your home. Often we find a cable installer has come in, popped in their latest router, got everything working and then left. Unfortunately, the default credentials for these and most home network equipment are well-known and easy to find. Be sure to change the default passwords on all of your network equipment and keep them up to date with the latest software and firmware updates.
Secure your WiFi
There are a number of things that should be done to secure your WiFi. Many of the articles I’ve looked at highlight what I would consider difficult or complex configurations for your average home user. This article, however, breaks down and groups things between the more simple and the more complex. My highlights would be the following:
- Change the default password.
- Use WPA2 for security with a complex password.
- Disable UPNP
- Disable WPS
Store your passwords securely using something like LastPass. Having passwords stored in your email or documents is a vulnerability.
This list is basic security that all home users should be implementing and for the remote workers who have access to business data or a company network from home. It’s fundamental security.