Corporate espionage, stealing financial data or hacking governments. Just some of the motives for a hacker to exploit, whether it be for fun or reward. It’s not just companies that are targets, home users can be tangled up in cyber theft too, it isn’t solely corporate data that’s the target. Banking transactions, private documents or computers can be hijacked for botnets.
With so many vulnerabilities becoming known in the press over the past 18 months, network enthusiasts at DrayTek have come together to release a white paper – which may not be fool proof, but could be the difference between your company or household staying better protected against current and future cyber security issues. Their hard work and full case study can be reviewed here, covering Routers, Access Points, Passwords, and general setup.
Think of your online security in a simpler form – imagine you have the strongest locks and doors on your home. But if those locks aren’t used or doors left open, then you’re in no better position than using poor quality alternatives. And, this principle can be related back to the use of Routers and Access Points to keep you, your family or even your business connected. After all, such devices are merely a gateway for traffic to pass through. But with some simple tweaks you can make that decision as to whether all traffic can pass through, or halted before a potential vulnerability can be exploited.
No network can ever be 100% safe, but with a few simple tweaks you can better protect yourself and your customers. It’s worth stating before we go on, that although DrayTek have been kind enough to offer insight into smarter network security, the following recommendations apply to all brands of broadband routers and wireless devices.
Simple tweaks to secure your network – Routers
Routers can be the generic simple device handed out for free by your domestic/ home internet service provider; a more sophisticated ‘business class’ Firewall; intrusion detection system, or threat management device.
- Always change default passwords. When routers are sent out they provide very basic login details to make it as simple as possible, no matter what your level of IT experience (if any).
- Choose a strong password. Not just for your router, but accounts attached to your router from SIP/VoIP, IP PBX extensions and general user accounts. More importantly don’t use the same password.
- Always specifically log out of your router’s admin interface. Doing this gives additional protection against clickjacking and XSS attacks.
- Do not enable remote management. For many, remote management is not needed. If this is the case, simply disable the feature. Further to this, do not send syslog, SNMP, or logging data across the internet.
- Keep firmware up to date. A simple restart will enable your router to double check for any updates being provided by the manufacturer.
- Two factor authorisation (2FA). If you are considering the use of remote and mobile access, consider the use of 2FA. It works as a fail safe if someone was to gain access to your login details. Some routers may support 2FA, the choice given to you is a little extra inconvenience vs. increased security. 2FA works by one-time passwords being generated when a login attempt has been made. A unique key is then sent to the admins mobile device to confirm that access to the network is legitimate.
- Only ever use firmware updates and admin tools provided direct from the manufacturer’s official website.
Best practice for keeping WiFi secure – Wireless LAN
Wireless LAN (WiFi) provides businesses, homes and so many other locations great freedom and convenience. It’s an ease of access that can help improve customer satisfaction while also providing better connectivity for guests. For many of these guest users, they will use it as intended. But, it does make you exposed to unwanted users or actions.
So how can you as a business/ administrator reduce this kind of issue?
Failure to operate your network correctly can you leave you exposed to malicious attacks. Much like the example we used earlier with not using doors and locks appropriately.
- Change your access point’s/ router’s default password or even disable wireless access altogether. If it’s not needed after all, why offer it to the user.
- Use the strongest encryption at your disposal. Security methods such as WEP and WPA are old hat and relatively easy to crack. Consider the use of WPA2/PSK whenever possible.
- Consider scheduled timers. Disable wireless LAN during certain times such as overnight while your business is closed.
- Change the default SSID name. By using a name that doesn’t easily identify your company, location or brand of router/ access point it keeps your network discrete. Only in isolated circumstances such as guest access is a simple identifier expected.
- Create isolated guest networks. Only if required, and restrict user devices from being able to communicate directly with one another.
- Change passwords periodically. If you let staff and guests access your network, they can easily give away your network credentials.
- The possibility of credentials being shared is high, setup MAC locking. MAC locking will make sure that only recognised devices can access the network. Whether the unidentified user has the login details, you can be sure to keep them at arm’s length by automatically rejecting their login attempt.
- Disable any WPS features if your device is physically accessible by guests and users.
- Where possible use manufacturer diagnostic tools. Allowing you to keep tabs on connected devices, traffic and highlight any pending security issues, allowing you to act before an issue can escalate.
For some, these actions will no doubt have been setup by your systems administrators. But for those new to the roles and looking to better secure your networks. These are some simple steps to maintain your high level of security.
Until next time