by Paul Ducklin
Earlier this week, we published an article headlined “If you connect it, protect it.”
The TL; DR version of that article is, of course, exactly the same as the headline: if you connect it, protect it.
Every time you hook up a poorly-protected device to your network, you run the risk that cybercriminals will find it, probe it, attack it, exploit it and – if things end badly – use it as a toehold to dig into your digital life.
Cybercriminals who figure out how to commandeer a vulnerable device inside your network can use that device to map out, scan and attack your laptop – the one you’re using right now to work from home – as if they were right there beside you.
If you’ve ever played around with IoT devices, for example, you’ll probably know that many of them are based on the Linux kernel and the open source system software that typically forms the core of any Linux distribution.
Indeed, even the tiniest and most stripped-down devices often include not only special-purpose software tailored to that device, but also a host of standard Unix command line utilities that are the same as, or very similar to, the tools you will find in any penetration tester’s toolbox.
For example, a device such as a webcam or smart speaker usually doesn’t just contain audio and video processing code.
You’ll probably also find:
- One or more command shells. Shells such as bash, lash, ash or dash make it easy to run command scripts to automate system management tasks.
- LAN and wireless configuration programs. Tools such as ifconfig, ip, iwlist and iwconfig make it straightforward to map out and configure network settings.
- Downloader tools. Programs such as curl and wget can be used not only for downloading files over the internet, but also for uploading stolen data to outside websites, typically just with a single command.
- Other scripting software. You will often find programming tools such as awk, mawk or gawk, a minimalist scripting language that can be used to write internet clients and servers, as well as sifting and searching files, all in just a few lines of code.
- Scheduling tools. Program such as cron or an equivalent make it easy to schedule programs to run at regular times even when no one is logged in, for example to watch out for computers being connected to the network and sending back a notification message.
- Remote access and encryption tools. Many IoT devices include both SSH client and server software such as ssh, sshd or dropbear. These give crooks a way to create secret, encrypted network “tunnels” into and out of your network using software that’s already there.
- Network and account passwords. Your Wi-Fi password may very well be stored in a plaintext file on the device, such as /etc/wpa_supplicant.conf. Password or authentication tokens for any accounts that the device is hooked up to may also be lying around for the taking.
Generally speaking, the closer the crooks get to your computer on the internet, the more aggressively they can attack it – and the next best thing to being on your computer already is to be right next door on the same network with their favorite hacking tools preinstalled.
What to do?
By now, it might sound as though you need an enormous range of skills just to figure out where to start, let alone where to finish, in securing your own network to be robust enough for WFH. (ICYMI, that’s short for working from home.)
The good news is that you don’t need the combined practical experience of an IT manager, a tech support guru, a penetration tester and a network engineer.
We’ve come up with eight questions you can ask yourself about devices on your home network, and about the setup of your network, that will help you run a tighter WFH ship.
Think of it as going through your very own Cybersecurity Awareness Month at home:
- Step 1. Do I actually need this device online? If not, consider removing it from your network. Or if you don’t need it listening in or activated all the time, consider powering it down when you aren’t using it. (Unplugging it from the wall socket is often all you need to do.)
- Step 2. Do I know how to update it? If not, find out how. If the vendor can’t reassure you about security updates, consider switching products to a vendor that does (and see step 1).
- Step 3. Do I know how to configure it? Make sure you know what security settings are available, what they are for, and how to set them up (and see step 2).
- Step 4. Have I changed any risky default settings? Many IoT devices come with remote troubleshooting features turned on, which crooks may be able to abuse. They also often arrive with default passwords set, which the crooks will definitely know. Some routers ship with Universal Plug and Play enabled, which can expose the inside of your network by mistake. Check and change defaults before you make the device live (and see steps 2 and 3).
- Step 5. How much am I sharing? If the device is hooked up to an online service, familiarize yourself with how much data the device is sharing, and how often. You may be happy to share some data, but never feel squeezed into turning all the options “to the max” (and see steps 3 and 4).
- Step 6. Can I “divide and conquer” my network? Some home routers let you split your Wi-Fi into two networks that can be managed separately. This is useful if you are working from home because it means you can put your home IoT devices on a “guest” network and your work computers such as laptops on another (and see steps 1, 2, 3, 4 and 5).
- Step 7. Can I turn on “client isolation”? Some home routers have an option known as client isolation that shields devices on the network from each other. This reduces the risk of a security hole in one device being used to attack other computers “from inside” (and see steps 1, 2, 3, 4, 5, and 6).
- Step 8. Do I know whom to turn to if there’s a problem? If your work has an IT department or offers access to tech support, make sure you know where to report anything suspicious. Ask them what information they are likely to need and provide it at the outset, in order to speed up the process.
By the way, if you’re an IT department looking after remote workers, make it easy for your less-technical colleagues to reach out for cybersecurity advice, or to report suspicious activity, and take the attitude that there’s no such thing as a stupid question, only a stupid answer.
In our experience, most employees are ready and willing to do the right thing when it comes to cybersecurity – after all, if they get hacked while WFH then their own digital life is at risk along with the company’s.
Set up an internal email or telephone reporting line where users can easily and efficiently report possible attacks and get the whole company to be the eyes and ears of the security team!
AKAVEIL Technologies has decades of experience, skills, and knowledge in the evolution of cybersecurity practices and standards. In addition, we have carefully chosen SOPHOS as a security partner. SOPHOS provides ongoing research and knowledge in the cybersecurity arena which ensures their products are up to the most current specifications for your protection. We understand security posturing for optimal protection, detection, and recovery.
Related article & Information: