Fortifying home office security to protect against modern-day attacks

The “original” home office network consisted of one, maybe two, PCs or laptops connecting to the internet. Now, there’s a wireless network connecting any number of devices, including PCs, laptops, smart phones, tablets, TVs, smart home assistants, gaming consoles, IoT-enabled appliances – the list goes on and on – to the internet. This is before even considering the increasing numbers of these home offices serving remote workers. While security risks always existed, home office networks today are far more complex than ever before and more vulnerable to prevalent and sophisticated attacks than it may appear. 

It’s estimated that in 2016, nearly half of Americans spent at least some time working remotely, and nearly a quarter of workers performed some or all of their work at home. These remote offices are attractive to cyber-attackers because they sit at the network edge. In fact, unsecured remote access was found to be the number one cause of business data breaches, according to one 2016 study. Weaknesses in remote and home offices often include improperly configured security devices and programs and a lack of proper network security solutions that include firewall, VPN, IPS, web and email protection.    

Remote and home office networks can be susceptible to the same attacks as business networks: malware, ransomware and even distributed denial of service (DDoS). Malware attacks typically come in the form of a computer virus or worm, delivered via an email or document that’s been shared. Modern malware can spread and hide out among files on a host computer, and often capitalizes on specific security holes in an operating system or application, or on improperly configured systems. Ransomware is also spread as a virus or worm, but it hijacks a computer and demands payment before releasing it.

Earlier this year, a massive malware attack called WannaCry hit more than 200,000 computers in 150 countries, and loss estimates from the attack ranged from hundreds of millions to several billion dollars. A short time later, Petya hit. An attack characterized as wiper malware, Petya’s aim was to destroy systems and data, and it seriously disrupted systems at large firms in Europe and the United States. 

DDoS attacks may not be directly targeting a home office network, but cybercriminals can surreptitiously use compromised routers in DDoS attacks or as part of a rented botnet that other nefarious actors pay to use. The remote users unwittingly involved typically don’t realize the attack because there’s only minimal impact on bandwidth resources. But the effects of a DDoS can be widespread. In late 2016, it was a high-profile cybersecurity attack that used internet-enabled cameras as launching pads for a DDoS that ultimately took down a number of websites, including Twitter, Netflix, Pinterest.    

Home office routers are often the entry point for cybersecurity attacks. Their passwords are often weak; many still use the factory settings, the “admin” user ID, and hackable, weak passwords. One study, conducted in 2016 by researchers at ESET found that, among more than 12,000 home routers tested, many were insecure. There were, or course, weak passwords, but also bad access rights vulnerabilities, command injection vulnerabilities, and cross-site scripting (XSS) vulnerabilities, which allow hackers to change router setups and run bogus scripts. The vendor also ran port scanning and found that network services were also accessible from internal and external networks.   

So, how to prevent becoming a victim of a cybersecurity attack? What are the key elements and best practices of a secure remote or home office network? 

The first order of business: use antivirus software and a firewall, and keep both updated. Antivirus software is readily available and easy to install; subscription-based solutions can be found online and downloaded. The best programs run in the background automatically, update themselves to protect against the latest threats, including harmful downloads and threats embedded in USB drivers, and protect all the versions of every device on the network.    

Firewalls add another level of protection. For years, most were too difficult or expensive for the home user. Now, there are stand-alone firewalls that are easy to use and cost-effective, can supplement any firewall mechanism that may be embedded in your PCs and laptops, and can include antivirus software.   

Many remote and home office users also currently lack visibility into and control over what’s happening on their network, which is another critical element to effectively protecting what still are often relatively complex networks. Robust reporting is available with some next-generation firewall solutions (which can inspect traffic, not just restrict access by ports) to allow transparency to every facet of what’s happening online: sites your kids are visiting, neighbors jumping on your wireless network, and your newest IP-enabled gadget phoning home. These solutions also can create rules for managing access to websites, applications, and content based on criteria like device, user, time of day, day of week and more, while also providing insights into the effect of those rules through detailed reports.    

I’d be remiss if, in considering home office network security, we didn’t talk about data privacy. This has always been a concern, but is even more so since March when Congress voted to eliminate the broadband privacy rules that required internet service providers (ISPs) to get explicit consent from consumers before selling or sharing web browsing data and other private information to third parties. Now, ISPs can continue to legally gather personal browsing information and sell it indefinitely. 

There are, however, still things individuals can do to protect their personally identifiable information and browsing history: 

  • Use HTTPS - HTTPS (HTTP over SSL), which can obscure the specific pages someone visits.  
  • Be wary of plugins which may be collecting your browser history and selling the data to third parties. Always review both the end user license agreement (EULA) and permissions that the plugin requires.  
  • Utilize a VPN, or virtual private network, which creates a secure, encrypted tunnel between a device or even an office location and a private server located elsewhere. This blocks anyone from viewing or modifying your internet traffic. While this doesn’t provide total anonymity, ISPs can still see the connection to the VPN service—the browsing data won’t be available to third parties. 

Dirk Morris, Founder & Chief Product Officer at Untangle 

Image Credit: Gpointstudio / Shutterstock