Week 1 of NCSAM starts at home, with the topic “Make Your Home a Haven for Online Safety”. The overarching theme of the month is “Our Shared Responsibility”. Like most people I care deeply for my family, not to mention I have two tiny humans that run around eating everything in sight (unless they “don’t want that”) and leaving a general disaster wherever they walk; I love them, as father of the household their safety and well being are my primary missions in life, and I thought I would share how I try to keep my household cyber-safe.
To put this simply there is no way to stop a determined adversary. Let’s get that straightened out right now, anyone trying to infect your machines, “own your network”, or just extort some money from you, is an adversary. My dad has always said, “doors, locks, and windows only keep honest people out”, it couldn’t be more true in cyber security. All of these fancy SIEM ,NIDS, and security procedures couldn’t even help the Pentagon. It took 13 minutes for someone to crack into the most hardened organization on the planet. What chance does your consumer grade firewall from COSTCO stand against a “hacker”? It’s a hard pill to swallow but understanding that you should constantly be thinking about your cyber hygiene (your personal practices and procedures for maintaining security) is critical to your privacy and defense. Your cyber hygiene is directly correlated to your knowledge on the topic, so the only good remediation is training. Effectively you just don’t know what you don’t know and there are several good cyber security awareness training programs that are just a google search away.
One of the most underutilized controls is filtered DNS. Quad 9 offers free DNS filtering to whoever will use them, and they have an easy to follow video that can make you safer in just a few minutes. Domain Name System is the internet’s “address book”, but it’s really like a series of address books that have catchall rules in them that say, “if I don’t have the address ask this other address book I know” and on and on. The US used to have control of this integral part of the world wide web until the last administration, in their infinite wisdom, gave it over to a global committee. Nevertheless, with a trusted ally like Quad 9 watching your DNS queries for known bad traffic, it adds one more layer that must be compromised to get to you.
Wifi Access points are the bane of security expert’s existence. After the meat bag behind the device, (you) that Wifi (yes its pronounced “wifey” for a reason) access point between you and the digital ocean is a chink in the “Defense in depth” process and is just a time bomb waiting for someone to come exploit it. Always change default passwords on any production hardware, and update, update, update. With the ever growing IoT (internet of things; “smart”phone, “smart” watch, “smart” fridge, “smart” lights, “smart” thermostats, you get it ) everything around you is hungry for bandwidth and another potential way to compromise your assets and take data.
Network segmentation, though it may be more advanced then you’re willing to venture, is my final suggestion. If you can segregate users who need access to (fill in the blank) away from guest and unauthorized users, you are effectively putting guest internet traffic in its own play pen (unable to interact with the secure users, machines, and the ever coveted data), so that legitimate and authorized users can enjoy secure expedient internet access. Remember that there is no suit of cyber armor that will keep you totally safe, all you can do is change the odds, and hope the measures you have in place are enough to mitigate the vile creations spewing from the abyss of the dark web.