A lot of people are thinking about the security of their home network right now, and as one of the project leaders on the OWASP Internet of Things Security Project, I wanted to provide three levels of security you can do at home.
The most important thing to realize about this list is that it’s top-heavy. The first one is far more important than the second, and the first three are far more important than the second three. Etc.
Let’s start with Level 1.
There are security/hacker types that maintain massive repositories of passwords.
Change all default passwords to something unique and strong. This is the most important thing in this article. Most home networks get broken into through either phishing or some random device they have with a bad password. It’s usually a password that was never configured or never changed from the default. Use a password manager to make and store good passwords that are different for every account/device.
Patch all computers, routers, and other devices on the network. The second most important thing to do is make sure you keep all your computers and devices updated with security fixes. You should enable automatic updates if available, and try to update at least weekly if not.
Install MalwareBytes on all laptop and desktop computers. MalwareBytes has somehow won the battle of the best consumer anti-malware offering. And although it is a paid product, it serves as an extra layer of protection for users that aren’t the most educated or careful when it comes to practicing Safe Hex. Which is most people.
95% is a guess, but it’s probably closer to 99%.
If you did just those two things you’d be more secure than 95% of home users out there. But let’s look at Level 2.
- Enable 2FA for high-risk systems. Most peoples’ highest risk systems are their primary email account and their mobile phone account. These are the keys that open all doors into every other account you have (because they’re how you do account recovery). Next come your social media accounts, and then any accounts that control IoT systems in your house. Do you have internet-connected lights, appliances, gaming systems, media systems, etc? Get their passwords changed (see above), and enable two-factor authentication.
- Segment your high-risk devices onto a separate network. The next strong control to consider is segmenting your network. This is where you take your higher-risk systems, like your IoT devices, your entertainment systems, gaming systems, etc., and place them on their own network—separate from your personal computers, laptops, phones, etc.
One could argue putting this in the basic section.
- Change your DNS to 18.104.22.168, or 22.214.171.124 to get privacy and malicious domain filtering.Next, you can consider changing your DNS settings on all your devices to use those by Cloudflare. There are plenty of good options, actually; I’m just trying to be prescriptive. 126.96.36.199 blocks just malware, and 188.8.131.52 blocks malware and adult content. Make sure to set these on not just your router, but on your other devices as well.
So if you’ve done all that, you can now move into the tasty stuff at Level 3. This section requires some pretty significant technical knowledge to implement, and is probably far more than most people need. But it’s fun!
- Use Rumble to inventory your home network’s assets. Anyone serious about security starts with understanding what they’re defending, and that’s where Rumble comes in. It’s a tool created by H.D. Moore that creates a continuously-updated inventory of your local network, and there’s a free version for home networks! Install that, run regular scans, and investigate anything out of the ordinary.
- Use CanaryTools to monitor for malicious tampering on your network. After you have your inventory, you can move into looking for actual signs of trickery on the network. The most efficient way to do that is with Canary Tokens, and once again, there’s a free version! Create some, sprinkle them around, and look for hits.
The Dream Machine even has a built-in honeypot and port scanner.
- Upgrade to a prosumer router like a Ubiquiti Dream Machine to get enterprise security features. Next you might want to look at a higher-end router. The Ubiquiti stuff has been getting better and better over the years, and as someone who started in firewall engineering, I’m starting to see tons of enterprise features in these things. Enterprise Auth, Geo-based Black/Whitelisting, MAC-based controls, IDS/IPS, Signal Optimization, Logging Capabilities, etc. Another option is an Astaro Security Gateway, by Sophos.
This should get you going.
Remember, doing the first few properly will massively improve your security. And for the best results, get as many people that you know and care about to do the first 2!
Here’s the full list as an infographic.
- Many security professionals stopped using antivirus many years ago, and more and more are doing so as native offerings from operating systems improve. The native protections are actually quite good, and combined with practicing Safe Hex, most professionals can get away with not running anything.
- I personally also run MalwareBytes, which I consider to be excellent, and I do recommend it to some when I think they need it. But the fact is that I’ve never had a hit on it in the several years that I’ve run it, and it’s also a paid product. So I often ask myself why I run it at all. Again, Safe Hex and an updated operating system are your best protections against mundane stuff. And for super-targeted and/or custom attacks, neither of those will help you anyway.
- A previous version of the advanced section included running Suricata from a tap on your network, which is still a lot of fun and offers great additional security. But it requires quite a bit of knowledge, setup, and time to do properly. More
- Another great option for the advanced section is the use of a PiHole. It’s more in the spaces of blocking ads and providing privacy, but it’s definitely worth a look. More