Practical Security Checklist for the WFH Network

Mike — Wed, 29 Dec 2021 00:14:37 +0000

Home Router | Wi-Fi Security | Recommended Free* Tools & Solutions

Update Default Password: the management interface on your router can be found on the bottom sticker or set up guide to update with a strong, complex password.
Router Management Interface: inside your LAN limit the IP addresses that can manage your router. If available, use DHCP to assign IP addresses then configure only known approved IP’s to perform tasks on the router.

*My bias is to limit access from only the device hosting your controller software if leveraging Ubiquiti or comparable solutions.

Security Focused DNS service provider: Cloudflare released a privacy and performance focused DNS (1.1.1.1) to protect your internet traffic. Alternatives include Quad9 (9.9.9.9) launched by the Global Cyber Alliance to block known malicious domains.
Wi-Fi Protected Access/ Services Exposure: ensure you are using WPA2 or WPA3 and no additional services are exposed to the internet, Shields Up can scan your router’s public IP for open ports and UPnP for assurance. https://www.grc.com/shieldsup
Device Hygiene: Apply software/ firmware updates to all devices to include laptops, mobile devices, and routers is the single most effective action you can take to prevent vulnerabilities from being exploited in the wild.
Network Segmentation: several routers offer the option to set up vLANs (virtual local area networks) to logically isolate other endpoints, IoT devices, mobile phones, etc. from your work and other security/ privacy sensitive machines.
MAC Address Filtering: modern routers offer the capability to restrict what devices can access a network based on their MAC address (unique identifier of their physical network card). This can create an administrative burden at scale, but worth considering for a WFH network or isolated vLAN of your work devices.
Home Network Build: With the requirement of remote work; a secure and robust network is essential. For under two hundred dollars this build will replace the need of renting inferior equipment from your ISP.

Note: this will take about an hour to set up the Ubiquiti EdgeRouterX and wireless access points that meet the requirements of your home office. To ensure you are maximizing the gigabit modem and router, when logged into the EdgeRouterX, via the CLI:

configure
set system offload hwnat enable
set system offload ipsec enable

Device | User | Mobile

Password Manager: create and manage unique/ complex passwords; the vault and all accounts should be further secured with a One Time Password (TOTP) application or Security Key (FIDO2) to enforce Multi-factor Authentication. Recommended Password Managers include 1Password and Bitwarden.
Web Browser: Protect yourself online from tracking, fingerprinting, and advertisements. I recommend Brave, do not expect privacy from popular browsers.

Test your browser’s privacy: https://panopticlick.eff.org/

Search Engine: DuckDuckGo maintains strict location and permissions to protect your search history online.
Encrypted Messaging Applications: to communicate outside of SMS, use a secure end-to end encrypted messaging service like Signal to maintain confidentiality of all communications.
Mobile Carrier PIN: mitigate the risk of SIM Hijacking (social engineering mobile carriers) to transfer your phone number to an attacker owned device to bypass MFA via SMS.
Tails OS: for the highest level of security; a user can boot Tails OS from a USB focused on preserving privacy and anonymity. Full details of Tails and potential limitations specific to Tails, Tor, and the current threat model can be found from the documentation.

Recommended Tools

Rumble Network Discovery: created by InfoSec legend HD Moore, Rumble provides a simple interface for network discovery to protect the assets on your network (Asset Inventory is an essential foundation for security). *Trial version reverts to the free version for home use.

macOS Firewall: Lulu is an open source firewall for macOS designed to block all unknown outbound connections (until allowed by the user). As almost all applications and malware connect back to a remote server, Lulu provides a level of control and first level user vigilance.

Quick, Easy, & Free* Tools to up your Security Game

Mike — Tue, 28 Dec 2021 18:45:40 +0000

Minimal effort security enhancements to Prevent-Detect-Respond to the wide range of cyber threats posing a risk to your business and personal privacy.

YubiKey
Social Engineering and phishing attacks remain the most common vector of attack to capture credentials, in addition to the constant threat of identity based attacks (ie. credential stuffing, etc.). YubiKeys are the best available solution to provide strong (something you have) authentication leveraging the industry standard FIDO2 (WebAuthn and U2F) protocols. YubiKey supports Second Factor, Multi-Factor, and Passwordless use cases; example below is the second factor prompt from a Yubikey 5 Nano. *Yubikeys are roughly $20-$50 each depending on the model.

phish.ly
phish.ly offers a free service to scan suspicious emails with urlscan.io via the robust Tines.io automation platform. This is not a panacea solution, as it is currently limited to suspicious URLs, but offers a valid alternative for users looking for an additional level of assurance for their personal Google Workspaces or ProtonMail accounts that do not have email security gateways due to budget or license constraints.

Canary Tokens
High Fidelity Intrusion Detection is one of the hardest tasks to seamlessly accomplish in the continuous battle to Identify and Contain active security incidents. Canary Tokens create the ability to generate a number of detection sources in the event a bad actor has compromised a system. This can include “canary” Word and Excel Documents from a client filesystem, AWS Access/ Secret Keys, SQL server, kubeconfig tokens, and DNS tokens*.

Thinkst Blog

Thinkst provides free Log4Shell tokens to provide a level of assurance in testing for applications vulnerable to the recent Log4j vulnerability (CVE-2021–44228). **This guidance is specific to the scope of only initial testing for applications that are potentially vulnerable to the Log4j vulnerability. Additional mitigation and remediation guidance can be referenced from CISA.

Forem: Mike

Practical Security Checklist for the WFH Network

Quick, Easy, & Free* Tools to up your Security Game