Rethink how you think about data security in the home
The world has seen, and will continue to witness, growth of networked and network services in homes. The widespread and rising adoption of information and communication technology in homes is happening at a time when data security breaches are commonplace. In 2020, Comcast detected an average of about 104 cybersecurity threats targeting each Internet-connected home per month. The number and sophistication of threats targeting even the most lightly connected homes have grown exponentially, that ordinary people can barely keep track of. And yet, security decisions made in the home are prejudiced and biased.
A study conducted by researchers at the University of Oxford revealed a tendency for people to concentrate on practices that have (allegedly) survived security breaches, and to overlook those that have not. This was a reason most people gave for not implementing recommended security measures and for being less proactive in adopting secure practices. They believed that as long as nothing bad had happened yet, they were safe even if they had not taken steps to secure their home networks and devices: one person remarked, “I have not had any harm in my home network, so I think everything is fine, bullet-proof”.
The perceived absence of harm is seen as evidence of good security decisions. However, harm arises when an attack is attempted and then successful. Harm can be (in)direct, (im)material, and (in)visible. A perceived lack of harm is not sufficient evidence to validate a good security decision for the following reasons.
First is the case where harm occurred but was not perceived by the home user --- it is invisible: for instance, a user might download malware that steals information in the background without their knowledge. Another instance where the perception of harm can fail is in the situation where a successful attack harms a third party outside the notice of the home user --- it is indirect: publicized examples of this include the 2016 DDoS attack on DyN DNS servers through compromised IoT devices and the 2014 Lizard Squad attack on XBox live and the PlayStation Network through compromised home routers.
Second is the case where harm genuinely did not happen. However, this is not always evidence of a good security decision either. In the case where no attack was attempted, a lack of harm is no evidence of effectiveness: vulnerabilities might still be exploitable or countermeasures ineffective. Another situation is where an attack was attempted but was stopped by a third party before material harm occurred. For instance, a home users’ credit card details might have been stolen while shopping on an illegitimate website, but the bank stopped the attacker from using the details.
Only in the third case, where attempted attacks are genuinely mitigated down to no harm, does the perceived absence of harm actually demonstrate evidence of a good security decision.
The researchers believe that this is strong evidence that survival/outcome bias is a key element in poor security decisions, and that the wider challenge of evaluating a good security decision is a difficult problem for home computer users (and arguably the wider security community).
Don’t Wait Until It’s Too Late
Everyone needs to adopt the right tools and practices to ensure their network, data, devices, and software are always secure. Proactively securing your home network not only protects you from bad actors, but also protects all those connected to the network and to you (for instance, via email, social media, instant messaging, remote work, etc.) before an attack becomes imminent.
Are you wondering what you can do to protect your home network? Here are a few tips from the FTC and CISA to get you started:
[A] Start with your ROUTER
Change your router’s preset passwords.
Some routers come with preset passwords out of the box. But hackers can easily find these passwords, so it’s important to change them to something more complex. There are two passwords on your router that you’ll need to reset.
The Wi-Fi network password: this is the one you use to connect your devices to the network. A unique and secure Wi-Fi network password prevents strangers from getting onto your network.
The router admin password: this is the one that lets you into the administrative side of the device. There, you can do things like change settings (including the Wi-Fi network password). If a hacker managed to log into the admin side of your router, the hacker could change the settings that would undo any other security steps you may be taking.
To find instructions for changing your router’s admin and network passwords, first, find the name of your router’s manufacturer. Then go online and search for “how to change [your router manufacturer] admin password” and “how to change [your router manufacturer] Wi-Fi network password.” Still having trouble? Contact the manufacturer directly.
Disable remote management / administration of your router.
Some routers have features that can be convenient but weaken your network security. For example, remote management lets you login to your router’s admin interface and change settings from anywhere over the internet. Chances are very slim that you will ever need to do this. When you turn off this feature, you will be able to access these settings when your device is connected to the home network.
Keep your router up to date.
Check for updates to the router’s firmware. You may need to do this through the router’s admin account or on the manufacturer’s website. Also, if your router is accessible through an app on your phone, use the most up-to-date version of the app. To make sure you hear about the latest version, register your router with the manufacturer, and sign up to get updates. If you got your router from your Internet Service Provider (ISP), like Verizon or Comcast, check with your ISP to see whether it sends out automatic updates.
Turn on Wi-Fi network encryption.
Most routers support WPA (Wi-Fi Protected Access). You can turn on this feature in your router’s Wi-Fi settings, when you login in as the administrator. Always use the latest version of WPA (for instance, use WPA3 instead of WPA2), if your router supports it. Also, consider investing in a router that supports the latest version of WPA.
Set up a guest network.
Many routers let you set up a guest network with a different name and password. It’s a good security move for two reasons:
Having a separate login means fewer people have your primary Wi-Fi network password, and
In case a guest (unknowingly) has malware on their phone or tablet, it won’t get onto your primary network and your devices.
[B] Protect Each Device
Know your devices: make a list of the devices you own and devices that connect to your router. Here are steps to take to protect each device:
Keep your devices up to date: Updates usually include security fixes that make it much harder for hackers to break into your devices. Investigate and enable automatic updates --- some devices support automatic updates of firmware and software; find out how you can enable this feature. Other devices need manual updates --- check and update regularly; create period reminders for yourself on your calendar.
Remove unnecessary services and software: Remove or disable all unnecessary services to reduce the attack surface of your network and devices. Unused or unwanted services and software can create security holes on a device’s system, which could lead to an increased attack surface of your network environment.
Run up-to-date antivirus software: A reputable antivirus software application is an important protective measure against known malicious threats. It can automatically detect, quarantine, and remove various types of malware, such as viruses, worms, and ransomware.
Regularly back up your data: Make and store --- using either external media or a cloud-based service --- regular backup copies of all valuable information residing on your device. Consider using a third-party backup application, which can simplify and automate the process.
Below are additional resources to help you remain secure in the home:
CISA – Home network security
REFERENCES
Nthala, N. and Flechais, I., 2018. Informal support networks: an investigation into home data security practices. In Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018) (pp. 63-82). Url: https://www.usenix.org/conference/soups2018/presentation/nthala
https://www.bbc.com/news/technology-37738823
https://infosecwriters.com/Papers/JRollins_Lizard_Squad.pdf
https://www.consumer.ftc.gov/articles/how-secure-your-home-wi-fi-network
https://www.consumer.ftc.gov/articles/securing-your-internet-connected-devices-home
https://www.cisa.gov/uscert/ncas/tips/ST15-002
https://www.getsafeonline.org/personal/article-category/protecting-your-computer/
Comments
Post a Comment