Cyber for the Rest of Us: Securing Home Networks, for Home Users

Last Updated: 2019-07-25

Introduction

The first guide written by Kensho Security Labs was on the topic of safely purchasing and configuring PC devices for the first time. That guide would make fantastic preliminary reading for this topic, so we've also updated it with the latest findings.

Let's talk about why you would care. Just this past week, the RCMP plead for the public's patience as they continue to investigate and work with victims of ransomware attacks. Ransom is on the rise (as are malware in general), and while a lot of that is down to target attacks against targeted organizations, the nature of a lot of malware is to spread itself.

This guide is going to essentially cover core security concepts: perimeter security, and defense in depth.

Permiter Security

When most people think of security, this is fundamentally what they're thinking of - keeping attackers off their network, out of their house, or the kids off the lawn. That's perimiter security, and it actually is important.

There's a lot your can do to defend your home network at the perimiter, and some of it's going to start at your router, modem, or switch. To a certain extent this is going to depend on your ISP and how they've set your network up initially.

Most people, at least, most people we know, have some form or function of SOHO (Small Office/Home Office) router in their home that forms the nucleus of their network. This might or might not be the entry point of the internet (WAN) into their home, as well, but it's almost certainly the thing they connect to (wirelessly or physically) in order to hit the internet.

Here are a few things you can do to use that to your advantage:

  • Replace the router with one you yourself own, obtained from a reputable vendor, of a reputable brand and model. The advantages of having your own router are two-fold - you have greater control over the configuration than ISPs are usually willing to expose, and, you are now free to patch at will.
  • Patch the router regularly! Set a reminder in your to-do list app of choice to check routinely for updated router firmware. Familiarize yourself with the manager's instructions nd make the noble sacrifice of a brief network outage to keep your router patched. Regular patching is important for defending against both local attacks (which as a home owner aren't really in your threat model), and WAN attacks originating from the open internet.
  • Don't use WPS! There have been known issues with Wireless Protected Setup (WPS, sometimes known as push-button or PIN setup), since 2011. The nature of the particular vulnerability, a brute force attack, is essentially unresolved. It would be far better to completely disable WPS from within the router configuration - or better, buy a router that doesn't have support for it in the first place.
  • Don't use uPnP or DMZ routing,both of which are common solutions to network issues for various internet-connected devices, as purported by the communities that support them. Both of these are genuinely bad ideas. Instead, familiarize yourself with the process your router has for setting up manual port forwarding. If you have the technical chops to set up your own minecraft server, you can set up a port forward manually.
  • Use the router firewall defaults!

Defense in Depth

The bad calls are coming from inside the house! What do you do once the hackers or malware are already on the network? Well, there's actually a few things to do, most of which are completely free to you, save for a few moments of your time.

These strategies, broadly, are a subset of techniques known as Defense in Depth - the idea that your defenses don't stop at the outer wall.

  • Use device firewalls wherever possible. If you read the PC Onboarding Guide, you know I'm a big fan of device-level firewalls for this purpose. The common OSes all have perfectly valid and robust device firewalls which are trivial to activate, and whose default settings are sufficient for the needs of most users. Familiarize yourself with these tools and use them - in most use cases, they're 99% set-and-forget. And if you're the kind of person who runs into an issue where they need to do something that makes their firewall grumpy, you're technical enough to add an exception or rule rather than disabling the firewall completely. In fact, follow the whole PC onboarding guide - endpoint security IS defense in depth.
  • Avoid Phishing! Obviously, if detecting phishing attacks (email intended to enduce you into punching in credentials on a fake site, or download malicious content) was trivial, we'd have done that already. Even real-life cybersecurity professionals get phished. My usual method: if the email was unexpected, ignore it. If I can't ignore it, go manually to the website the email claims to be for and log in as normal, or contact their customer support.
  • Don't use a flat network architecture! Most home networks look a lot like a menorah - a straight line from the internet through one or more devices to the router, and then every device in the house plugging directly into the router. Unless you have the router firewall set up such that none of the devices on the network are allowed to talk to each other (a very user unfriendly arrangement), I would strongly recommend against this. A future guide will focus more on the practical portion of this topic, but in general, there's nothing to stop you from setting up a few subnets - gaming consoles, pcs/printers, and mobile devices. Some of this is going to depend on what the others need, and it's highly specific. Until the guide on that topic comes out, you should feel free to Contact Us for advice on this topic.
    This sort of behaviour curtails the movement of passive/automated attackers (like malware) across your network while also making life harder for active threats - which you're unlikely to face as a homeowner anyway.
  • Have a good backup routine. Any machine in your home which handles data that's irreplacable (documents, photos, home videos, game save states, or what have you) should have a process in place to run automated backups and save them to either another machine on your network, or, ideally, somewhere completely different. Even backing up regularly onto an external drive that spends most of its time disconnected is better than nothing. Many operating systems have some version of this. I personally haven't found any of them to offer the full flexibility and specificisty I require, which is why I built Tapestry. Tapestry is open-source, free-to-use software for making backups across multiple devices, with an eye to security for the backup. I trust it so well that I store home backups at my office as a way to keep an offsite record.
  • Have a plan for when you get compromised. Anyone who has been on the computer as a kid - or has kids using the computer - knows that it's not exactly difficult to get your computer compromised. While remediating an infected computer is a guide in and of itself (and a profession, for that matter), it's not that unreasonable to cover a few quick tips:
    1. Disconnect the affected computer from the network. This will limit the possible avenues for the infection to spread, if it's self-spreading.
    2. Run your antimalware tools and follow the usual remediation workflow they expect.
    3. If the antimalware tool has difficulty, you can either hire someone to remedy that for you (find a reputable local vendor), or go for the time-consuming, but ultimately simple, method.
    4. If your OS supports it, restore to a known-good restore point. Rerun your malware checks to make sure that was successful.
    5. Otherwise, do a fresh OS install, ideally after securely wiping the drive. Most OS installers I've worked with include an option to wipe the drive prior to installation. Then, you can restore your files from a clean backup.

I hope you enjoyed this guide. It's my belief that guides on basic information security should be freely available to anyone who needs them - as a part of my belief that Privacy is a Human Right. That said, if you enjoyed this or any other Kensho Security Labs guide, I would strongly encourage you to donate to our Coffee Fund!