Most households now are connected to internet with devices like laptops, tablets, smartphones, gaming devices and TVs accessing wireless networks. First step to keep your home safe from cyber threats is to keep internet-enabled devices running latest (updated, “patched”) operating system, web browsers, security, and other software.
Although Wireless technology has made easier for multiple devices to connect to internet, your network could be used to commit cyber crime if you don’t secure your Network and Network devices.
Most of the router (gateway to internet) are preconfigured at the factory and are ready for connecting to internet, however default settings may put you at risk.
Though home users cannot fix complex security issues with routers, but there are many simple actions that can be taken to protect them from attacks. Following are some of the simple but essential security tips for home users:
Change important default settings
- Change the default administrator username and password:
Manufacturers set default username and password for troubleshooting purpose and they are publicly available and known. Credentials has to be changed immediately after first login, else anyone in internet can access your device.
- Change SSID name and disable broadcasting:
The SSID (service set identifier) is the name of your wireless network. Some manufacturers set a default SSID at the factory, which typically identifies the manufacturer or the actual device. An attacker can use the default SSID to identify the device and exploit any of its known vulnerabilities. Using default or well known SSIDs would also make it easier for attackers to brute force authentication system protocol WPA2.
It is advised not to set SSID to reveal information about you or your organisation (name, location), make it unique and random (not tied to your personal or business identity) example: “9QW!”.
Disabling SSID broadcast (or lowering broadcast range) would make it difficult for attacker to find your network but with the need for you to type (in case broadcasting is disabled) in the SSID when you need to connect new device to the network.
- Enable auto updates:
Some of network devices has auto update function. Enable this. It will allow the system to patch itself and not be exposed to known vulnerabilities. If Auto update is not possible check vendors page and patch your system frequently.
Secure Router’s Administrative Interface:
Routers usually provide a website for users to configure and manage the router.
- Do not leave it in logged in state. Doing this will minimize the risk of transmitting unauthorized commands from an attacker to the router’s management website.
- Never enable “remember password”.
- Use the browser in incognito or private mode when working with the router to ensure that no session cookies are left behind.
- [Advanced] Best practice is to make it accessable only from internal network and not from internet, if possible limit access from only single static IP within Internal network. You could further secure it by enabling administrative interface only form wired connection and disabling it for wireless connection.
- Turn on HTTPS access to the router interface.
Encrypt your Wi-Fi network:
Choose WPA2 (Wifi-Protected-Access) encryption protocol, if available, or WPA. It is recommended not to use WEP (Wired Equivalent Privacy) option.
Setting the wireless security mode to WPA2 with AES encryption and strong password would protect your data confidentiality since it encrypts communication between Router and devices.
Disable Wifi protected setup (WPS)
Wi-Fi Protected Setup (WPS) provides simplified mechanisms to configure wireless networks using a PIN printed on a sticker. A design flaw that exists in the WPS specification for the PIN authentication makes it very easy for attackers to break into networks. Disable this feature. You can connect to the router using a wired connection and access its web-based management interface.
Limit WLAN signal emissions:
Place the device at central location and limit the broadcast coverage area to prevent eavesdropping by intruders. Local area networks (LANs, networks whose are based on cable installation) are inherently more secure than WLANs because they are protected by the physical structure in which they reside. Directional antenna could be used to restrict WLAN coverage to only the required areas. To better control WLAN coverage you could experiment with signal strength and transmission level.
Turn the network off when not in use:
Shutting down the network when not in use will definitely prevent outside attackers from being able to exploit your WLAN. You could practice putting the wifi off as you go for bed or leave for office.
The router firmware must have current updates and patches. It is recommended to check manufacturer’s website for security patches to address vulnerabilities from time to time and patch them before hacker finds his way. Some routers might have auto update function also.
Make Sure your DMZ is Turned Off
The router’s DMZ(demilitarized zone) feature is usually turned off by default, but if you enable it for some troubleshooting purpose don’t forget to disable it once you are done. Since IP address/address range in DMZ is open to the Internet, any system placed there is completely exposed and at risk.