I am looking through my home office window at my neighbor mowing his lawn. My supportive wife is giving me space because she knows I am not really “home”. I sip my home brewed coffee and lock eyes with my overly rambunctious cat. I am hoping that my gaze says, “Don’t claw your way onto my lap”. I chose to wear shorts, which is a terrible idea in a house with many cats. I start up my computer and sign in. Downstairs my cable modem and wireless router quietly connect me to Spectrum, my Internet company. I know they are down there somewhere. I don’t check in on them unless the Internet goes out.
They quietly connect our Samsung TV, a couple Apple TVs, two Nintendo Switches, three iPhones, an iPad, a Raspberry Pi I tinker with, a home storage NAS running many services, and a couple laptops/desktops. This is the digital neighborhood of my house. Everything is connected to my wireless router where they talk to each other and share information. And of course, everything communicates with the World Wide Web. Plenty of targets and opportunities for attackers to work with.
I have been working in cybersecurity for a couple years now. I often test the University network and services to understand their weaknesses. I review other people’s assessments. I help make recommendations and plans for being more secure on a university network. My cat is looking to make the leap towards my unprotected legs. Once again, I lock my gaze with his mischievous green eyes. I am hoping my eyebrows are communicating “Don’t do it!”
As a cybersecurity professional, I work towards protecting confidentiality, the proper functioning of systems, and the availability of those systems. But that is on campus. On campus is where we invest in all the protection. It’s where we consider risks to the organization and manage them. But my house is a different story. I am the boss of my house (my wife isn’t going to read this). I built my home network, and I chose all the settings for it. My job has nothing to do with that. I also chose all the devices on my network and how they are protected. What if I have a security incident on my home network? It may affect me personally, but now I must also worry about how my work is affected. Home is sometimes where I work.
This has led me to think more about my house and how it compares to the University campus. How can I make my house more secure to protect my workplace resources without spending a ton of money and time? Heck, how can I better protect my personal stuff also at the same time? If company networks at Uber, Cisco, and others are being successfully attacked, my home network certainly doesn’t stand a chance.
That is why the National Security Agency (NSA) recommendations related to working from home really got my attention back in February of this year (2023). CSI_BEST_PRACTICES_FOR_SECURING_YOUR_HOME_NETWORK.PDF (defense.gov)
The recommendations are especially interesting since the NSA has been criticized in the past for perpetuating cybersecurity weaknesses and not helping to deal with them (NSA Spying Hurts Cybersecurity for All of Us Say Privacy Advocates | Time). But it’s been clear this year that the NSA wants to get the word out about being more secure at work and at home with a series of related articles.
Many of the recommendations are like concerns on the University network. We want to have separate wireless networks for regular use, guest access, and internet of things (IoT) devices (like smart lights). The ability to have separate networks is increasingly found in consumer routers. Also, the ability to use WPA2 and WPA3 for secure connections is important. Home wireless networks should also not be named “Linksys Model Number”. Such names help attackers to identify exactly what equipment is being used.
Home routers should also have a basic firewall option enabled. That will help prevent unwanted people from getting into the home network. Routers and cable modems should be rebooted weekly to ensure there is no malicious code running in their temporary memory. When they reboot any temporary bad stuff will be removed and the equipment will start fresh. I guess that means I will have to visit my basement more often.
Also, the report highlights the importance of updating devices. At my house, that’s a lot of devices. I need to make sure that about 15 devices on my network get their updates. Once the device is out of support and not getting anymore updates, then it should be taken off the network and replaced. That is why I got my new iPhone and Apple TVs. They were no longer supported because they were too old, so I replaced them. I was tempted, however, to save money by keeping them around. But I work from home, pay my bills online, and more so I didn’t like the risks involved with keeping old stuff around.
There are a lot of items mentioned in the NSA recommendations. I might not be able to do all of them right now, but it’s nice to know that a growing body of knowledge is coming together around safe work from home practices. IT equipment manufacturers might also find more interest from consumers related to security features in their products as people across the country participate in work from home, or hybrid work arrangements. I certainly hope so because cybersecurity at work is a full-time job which needs to be made easier for the reality of home networks and the people who use them.
Need to report an IT security event or incident?
To report, please submit a ticket here: Report an IT Security Incident, or call the IT Service Desk at (585) 395-5151 Option 1.