Practical Security Checklist for the WFH Network

thegablemethod

Mike

Posted on December 29, 2021

Practical Security Checklist for the WFH Network

Home Router | Wi-Fi Security | Recommended Free* Tools & Solutions

  • Update Default Password: the management interface on your router can be found on the bottom sticker or set up guide to update with a strong, complex password.

  • Router Management Interface: inside your LAN limit the IP addresses that can manage your router. If available, use DHCP to assign IP addresses then configure only known approved IP’s to perform tasks on the router.

*My bias is to limit access from only the device hosting your controller software if leveraging Ubiquiti or comparable solutions.

  • Security Focused DNS service provider: Cloudflare released a privacy and performance focused DNS (1.1.1.1) to protect your internet traffic. Alternatives include Quad9 (9.9.9.9) launched by the Global Cyber Alliance to block known malicious domains.

  • Wi-Fi Protected Access/ Services Exposure: ensure you are using WPA2 or WPA3 and no additional services are exposed to the internet, Shields Up can scan your router’s public IP for open ports and UPnP for assurance. https://www.grc.com/shieldsup

  • Device Hygiene: Apply software/ firmware updates to all devices to include laptops, mobile devices, and routers is the single most effective action you can take to prevent vulnerabilities from being exploited in the wild.

  • Network Segmentation: several routers offer the option to set up vLANs (virtual local area networks) to logically isolate other endpoints, IoT devices, mobile phones, etc. from your work and other security/ privacy sensitive machines.

  • MAC Address Filtering: modern routers offer the capability to restrict what devices can access a network based on their MAC address (unique identifier of their physical network card). This can create an administrative burden at scale, but worth considering for a WFH network or isolated vLAN of your work devices.

  • Home Network Build: With the requirement of remote work; a secure and robust network is essential. For under two hundred dollars this build will replace the need of renting inferior equipment from your ISP.

Image description

Note: this will take about an hour to set up the Ubiquiti EdgeRouterX and wireless access points that meet the requirements of your home office. To ensure you are maximizing the gigabit modem and router, when logged into the EdgeRouterX, via the CLI:

configure
set system offload hwnat enable
set system offload ipsec enable

Enter fullscreen mode Exit fullscreen mode

Device | User | Mobile

  • Password Manager: create and manage unique/ complex passwords; the vault and all accounts should be further secured with a One Time Password (TOTP) application or Security Key (FIDO2) to enforce Multi-factor Authentication. Recommended Password Managers include 1Password and Bitwarden.

  • Web Browser: Protect yourself online from tracking, fingerprinting, and advertisements. I recommend Brave, do not expect privacy from popular browsers.

Test your browser’s privacy: https://panopticlick.eff.org/

  • Search Engine: DuckDuckGo maintains strict location and permissions to protect your search history online.

  • Encrypted Messaging Applications: to communicate outside of SMS, use a secure end-to end encrypted messaging service like Signal to maintain confidentiality of all communications.

  • Mobile Carrier PIN: mitigate the risk of SIM Hijacking (social engineering mobile carriers) to transfer your phone number to an attacker owned device to bypass MFA via SMS.

  • Tails OS: for the highest level of security; a user can boot Tails OS from a USB focused on preserving privacy and anonymity. Full details of Tails and potential limitations specific to Tails, Tor, and the current threat model can be found from the documentation.

Recommended Tools

Rumble Network Discovery: created by InfoSec legend HD Moore, Rumble provides a simple interface for network discovery to protect the assets on your network (Asset Inventory is an essential foundation for security). *Trial version reverts to the free version for home use.

macOS Firewall: Lulu is an open source firewall for macOS designed to block all unknown outbound connections (until allowed by the user). As almost all applications and malware connect back to a remote server, Lulu provides a level of control and first level user vigilance.

💖 💪 🙅 🚩
thegablemethod
Mike

Posted on December 29, 2021

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related