The National Security Agency (NSA) just released a very helpful information sheet on how to secure your home network (along with some great general cybersecurity tips). In the not-so-distant past, the internet was something we connected to briefly to check email and do a little web surfing, and then disconnected so we could free up the phone line. But today, our devices are connected to the internet 24/7. Just as commercial air travel greatly increased the risk of spreading viruses between people, broadband internet has increased the spreading of malware and the opportunities for cyber attacks. So let’s review some key tips for protecting your network and smart devices.
I’m going to repeat most of the tips from the NSA guide here, but with my personal wording. If you happen to have a copy of my book, I’ve cross-referenced each of the NSA’s tips to the corresponding Tips in my book – in parentheses, like “(Tip 3-1)”. Of course, the book will also have instructions and pictures to help you, with a lot more context on why these steps are important. But this is a great checklist of cybersecurity best practices.
Recommendations for Device Security
- Upgrade to a modern operating system and keep it up-to-date. Apple (macOS, iOS), Microsoft (Windows) and Google (Android) add powerful new security features all the time. You should use the latest version your device will support and set it to update automatically (Tips 4-6, 12-3). And if your device is so old that it can no longer run the latest OS, you should consider getting a newer computer, tablet or smartphone (Tip 6-1). When possible, update your IoT devices, too.
- Secure routing devices and keep them up-to-date. If you’re using a Wi-Fi router provided by your ISP, you should really buy your own so you can have full control over its security and privacy (Tips 7-1, 7-2). Like your computer, it’s critically important to keep your router’s firmware up to date (Tip 7-4).
- Implement WPA3 or WPA2 on the wireless network. You should be sure to use the latest wireless encryption standards to keep your Wi-Fi communications private and secure (Tip 7-5). Use WPA3 where possible, but WPA2 isn’t bad. Older standards like WPA and WEP are no longer secure. Change your network name (SSID) to something unique that doesn’t identify you or your home (Tip 7-14).
- Implement wireless network segmentation. Most modern Wi-Fi routers have the option to enable a separate guest network. Not only should you use this for your house guests and their questionable devices, but also for your questionable IoT devices (Tip 7-8).
- Employ firewall capabilities. Almost all routers have a built-in firewall function that is enabled by default – but you should verify that it has been enabled. Routers also perform a function called Network Address Translation (NAT) that hides the devices on your home network from the broader internet. (I don’t have a dedicated book Tip for this since it’s almost always on by default.)
- Leverage security software. This suggestion covers many things, including anti-virus software for your computer (Tip 6-4), enabling the firewall on your computer (this would be in addition to the firewall that’s already running on your router), and turning on full disk encryption on your computer (Tip 6-8). Note that most smartphones already have disk encryption enabled by default.
- Protect passwords. You need to be using long, strong and unique passwords for each online account (Tip 5-14). Human minds are not up to this task – so you should use a good password manager like Bitwarden (Tip 5-2).
- Limit use of the administrator account. All modern computers support creating multiple user accounts. You should have at least two: an administrator account and a regular account with reduced permissions. Remember: whatever you (or rather your account) has permission to do, malware running on your account can also do. So, limiting your powers limits what malware can do, too. Create an admin account (Tip 6-3) and then downgrade your daily-use account to be a non-administrative account.
- Safeguard against eavesdropping. Many “smart” devices have built-in microphones and cameras. If you don’t need the smart features of a device, then simply disconnect it from the network or disable the Wi-Fi access (Tip 7-22). You can also just connect it when necessary. If the device has a camera, cover it with a sticky note or other opaque cover when not in use – or simply unplug it (Tip 6-18).
- Exercise secure user habits. You need to back up your important data whenever possible (Tips 4-2, 4-3). Avoid using public USB charging ports – the data connections can be used to hack your device (Tip 6-15). Instead, bring your own portable battery or wall charger. You can also buy charge-only cables that block data transfer (Tip 12-27).
- Limit administration to the internal network only. For some dumb reason, a few routers allow settings to be changed from outside your home network (i.e., from the Internet). Some even have this turned on by default. Make sure you disable remote access (Tip 7-9), including uPnP (Tip 7-11).
- Schedule frequent device reboots. Many types of malware infections can be cured just by restarting your devices. Periodically reboot your computers, phones, Wi-Fi router and IoT devices (Tip 7-16).
- Ensure confidentiality during telework. Working from home can increase your exposure to attacks, against your home devices as well as your work devices – and through them to your work network. (LastPass found this out the hard way.) A virtual private network (VPN) is not a silver bullet, but it can help (Tip 7-19). You should also make sure there are no holes in your firewall (Tip 7-12).
Recommendations for Online Behavior
- Follow email best practices. Don’t open attachments or click links from unknown or untrusted sources (Tips 3-1, 3-3). Use a secure email service (Tips 9-4).
- Upgrade to a modern browser and keep it up-to-date. You shouldn’t be using Internet Explorer – it’s no longer supported. Chrome and Edge are pretty secure, but not private. I prefer Firefox, personally – but if you’re a Mac person, Safari is good, too (Tip 8-1). Consider installing some security and privacy plugins (Tips 8-4, 8-5) and remove any plugins you don’t absolutely need (Tip 8-6).
- Take precautions on social networking sites. Don’t overshare information that could be used against you – either for identity theft or stalking (Tips 10-17, 10-18, 10-19). Restrict access to “friends only” wherever possible (Tip 10-14). Also, don’t broadcast travel plans that would tell burglars when you’ll be away (Tip 10-12).
- Authentication safeguards. Make sure to change the default admin password on your home router and any IoT devices with online administration functions (Tip 7-3). Avoid “single-sign on” features like “Sign in with Google” and “Sign in with Facebook” – create a dedicated account with a unique password (Tip 10-16). When sites ask you to create some “security questions” to help you recover your account in case you forget your password, consider giving false answers – just be sure you can remember your lies (Tip 10-23). Set up and use two-factor authentication wherever possible (Tip 5-5).
- Exercise caution when accessing public hotspots. Avoid using public networks – they can be insecure, exposing you to attack or revealing personal data. Instead, use your cellular data via the hotspot feature on your smartphone (Tip 7-20). This requires having a data plan that supports this, so check your service first. If you must use a public network (coffee shop, hotel, airport, in-flight Wi-Fi, etc), use a VPN (Tip 7-19).
There were a couple more tips in the NSA’s guide that were more geared towards people working from home. They cautioned you to segregate your work and personal devices, as well as work and personal data. If you’re working from home a lot, check out the last two sections of the guide. The guide also has some good links for further info. I’ve copied a few here:
- Mobile Device Best Practices
- NSA’s Top Ten Cybersecurity Mitigation Strategies
- Phishing resistant MFA
- Keeping Safe on Social Media
- Securing Wireless Devices in Public
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!